Skip to Main Content

blogpost

COVID-
19: Key considerations for IT leaders in Higher Ed

05.12.20

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Related Industries

Related Professionals

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Blog
Cyberattacks in higher education—How prepared are you?

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Blog
Perspectives of an Ex-CIO

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Blog
Cloud services 101: An almanac for higher education leaders

Read this if you use, manage, or procure public safety and corrections technology. 

When initiating the selection of a new technology platform to replace legacy software, how does an agency ensure the new system addresses functional and technical requirements while also complying with procurement standards? Request for Proposals (RFP) serve as an effective purchasing vehicle, particularly when agencies seek to identify modern technology with professional services to implement the software. While correctional agencies may use an RFP to engage a new Offender Management System (OMS) provider, the complexities of the industry and vast range of best practices complicate the planning, scoping, issuance, and evaluation process. 

With the long-term vision set to complete projects on time, under budget, and within scope, independent third-parties write technology RFPs to enhance traceability and accountability during implementation.

An independent third-party can help your agency:

  1. Define a meaningful project scope to scale the vendor market and guide quality proposals
  2. Develop effective forms, worksheets, and attachments to supplement RFP requirements to support compliance and meet proposal standards
  3. Build a balanced evaluation committee with impartial scoring criteria to represent agency-wide needs and fairly rank vendors
  4. Craft a structured procurement package that attracts multiple vendors to find the solution that best fits your needs
  5. Design a reasonable and achievable RFP schedule of events to finish the project in a timely manner
  6. Reduce ambiguity and increase clarity of RFP terms to streamline the process

If your agency incorporates a sound strategy to craft a meaningful RFP, then a lengthy, meandering procurement journey will become a well-defined, objective, and seamless process to identify new software. Furthermore, you can enhance competitive responses with an RFP free from ambiguity―and full of clarity.

If your corrections agency does engage outside help to facilitate development of an RFP for new OMS software, you should ensure that the third party you engage has experience supporting a meaningful, balanced, and structured purchasing process. BerryDunn injects best practices from the Corrections Technology Association (CTA) and American Probation and Parole Association (APPA). Pairing CTA and APPA standards with an RFP tailored to the technology markets will help an agency boost vendor responses to ultimately improve critical operations.

Reach out to our professional team directly for questions, or look out for our next blog providing insight on leveraging industry standards (e.g., CTA, APPA) when crafting an RFP for corrections technology.
 

Blog
Sourcing new IT systems: Third-party advantages

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Updated: August 5, 2020

Many for-profit and not-for-profit organizations are receiving financial assistance as a direct result of the COVID-19 pandemic. While there has been some guidance, there are still many unanswered questions. One unanswered question has been whether or not any of this financial assistance will be subject to the Single Audit Act. Good news―there’s finally some guidance:

  • For organizations receiving financial assistance through the Small Business Administration (SBA) Payroll Protection Program (PPP), the SBA made the determination that financial assistance is not subject to the Single Audit.
  • The other common type of financial assistance through the SBA is the Emergency Injury Disaster Loan (EIDL) program. The SBA has made the determination that as these are direct loans with the federal government, they will be subject to the Single Audit. 

It is unlikely there will be guidance within the 2020 Office of Management and Budget (OMB) Compliance Supplement related to testing the EIDL program, as the Compliance Supplement anticipated in June 2020 will not have any specific information relative to COVID-19. The OMB announced they will likely be issuing an addendum to the June supplement information specific to COVID-19 by September 2020.

Small- and medium-sized for-profit organizations, and now not-for-profit organizations, are able to access funds through the Main Street Lending Program, which is comprised of the Main Street New Loan Facility, the Main Street Priority Loan Facility, the Main Street Expanded Loan Facility, the Nonprofit Organization New Loan Facility, and the Nonprofit Organization Expanded Loan Facility. We do not currently know how, or if, the Single Audit Act will apply to these loans. Term sheets and frequently asked questions can be accessed on the Federal Reserve web page for the Main Street Lending Program.

Not-for-profits have also received additional financial assistance to help during the COVID-19 pandemic, through Medicare and Medicaid, and through the Higher Education Emergency Relief Fund (HEERF). While no definitive guidance has been received, HEERF funds, which are distributed through the Department of Education’s Education Stabilization Fund, have been assigned numbers in the Catalog of Federal Domestic Assistance, which seems to indicate they will be subject to audit. We are currently awaiting guidance if these programs will be subject to the Single Audit Act and will update this blog as that information becomes available.

Healthcare providers are able to access Provider Relief Funds (PRF) through the US Department of Health & Human Services. PRF help with healthcare-related expenses or lost revenue attributable to COVID-19. Guidance on what qualifies as a healthcare-related expense or lost revenue is still in process, and regular updates are posted on the FAQs of the US Department of Health & Human Services website. According to the Health Resources and Services Administration (HRSA), PRF funds will be subject to the Single Audit Act requirements. It is important to note that while an organization may have received funds exceeding the threshold, it is the expenditure of these funds that counts toward the Single Audit threshold.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our Single Audit Team. We’re here to help.

Blog
COVID-19: Single audit and uniform guidance clarifications

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Updated: August 5, 2020

We expect to receive guidance on how to determine what qualifies as lost revenue in mid-August, and will post additional information when that becomes available. If you would like the information sent to you directly, please contact Grant Ballantyne.

New information continues to surface about the reporting requirements of the CARES Act Provider Relief Funds (PRFs). The most recent news published by the Health Resources and Services Administration (HRSA) states the funds will be subject to the Single Audit Act requirements. What does this mean and how does it impact your organization? Here’s a brief synopsis. 

A Single Audit (often referred to as a Uniform Guidance audit) is required when total federal grant expenditures for an organization exceed $750,000 in a fiscal year. It is important to note that while an organization may have received funds exceeding the threshold, it is the expenditure of these funds that counts toward the Single Audit threshold.  

PRFs help with healthcare-related expenses or lost revenue attributable to COVID-19. Guidance on what qualifies as a healthcare-related expense or lost revenue is still in process, and regular updates are posted on the FAQs of the US Department of Health & Human Services website.

You may remember, there were originally quarterly reporting requirements related to PRFs. On June 13, 2020 HHS updated their FAQ document to reflect a change in quarterly reporting requirements related to PRFs. According to the updated language, “Recipients of Provider Relief Fund payments do not need to submit a separate quarterly report to HHS or the Pandemic Response Accountability Committee. HHS will develop a report containing all information necessary for recipients of Provider Relief Fund payments to comply with this provision.”

Organizations that receive more than $150,000 in PRFs must still submit reports to ensure compliance with the conditions of the relief funds, but the content of the reports and dates on which these are due is yet to be determined (as of August 4, 2020). The key distinction to remember here is that this limit is based on total funds received, regardless of whether or not expenditures have been made. 

As more information comes out, we will update our website. At the moment the main takeaways are:

  • Expending $750,000 of combined relief funds and other federal awards will trigger a Single Audit
  • Receiving $150,000 of PRFs will cause reporting requirements, on a to-be-determined basis
  • Tracking PRF expenditures throughout the fiscal year will be essential for the dual purpose of reporting expenditures and accumulating any potential Single Audit support

If you would like to speak with a BerryDunn professional about reporting under the Single Audit Act, please contact a member of our Single Audit Team.

Blog
Provider Relief Funds Single Audit

Read this if you are a business with employees working in states other than their primary work location.

The COVID-19 pandemic has forced many of us to leave our offices to work remotely. For many businesses, that means having employees working from home in another state. As telecommuting become much more prevalent, due to both the pandemic and technological advances, state income tax implications have come to the forefront for businesses that now have a remote workforce and employees that may be working in a state other than their primary work location. 

Bipartisan legislation known as the Remote and Mobile Worker Relief Act of 2020 (S.3995) was introduced in the US Senate on June 18, 2020 to address the state and local tax implications of a temporary or permanent remote workforce. The legislation addresses both income tax nexus for business owners and employer-employee payroll tax responsibilities for a remote workforce. Here are some highlights:

Business income tax responsibility

The legislation would provide a temporary income tax nexus exception for businesses with remote employees in other states due to COVID-19. The exception would relieve companies from having nexus for a covered period, provided they have no other economic connection to the state in question. The covered period begins the date employees began working remotely and ends on either December 31, 2020 or the date on which the employer allows 90% of its permanent workforce to return to their primary work location, whichever date comes first.

The temporary tax nexus exception is welcome news for many business owners and employers, as a recent survey by Bloomberg indicated that three dozen states would normally consider a remote employee as a nexus trigger. Additional nexus would certainly add further income tax compliance requirements and potentially additional tax liabilities, complications that no businesses need in this already challenging environment.

Employee and employer tax responsibility

The tax implications for telecommuting vary wildly from state to state and most have not addressed how current laws would be adjusted or enforced due to the current environment. For example, New York implements a “convenience of the employer” rule. So if an out-of-state business has an employee working from home in New York, whether or not those wages are subject to New York state income tax depends on the purpose for the telecommuting arrangement. 

New York’s policy is problematic in the current environment. Arguments could be made that the employee is working for home at their convenience, at the employer’s convenience, or due to a government mandate. It is unclear which circumstance would prevail and as of this writing, New York has not addressed how this rule would apply.

If enacted, the Remote and Mobile Worker Relief Act would restrict a state’s authority to tax wage income earned by employees for performing duties in other states. The legislation would create a 90-day threshold for determining nonresident income tax liability for calendar year 2020, enhancing a bill in the House which proposes a 30-day threshold.

The 90-day threshold applies specifically to instances where the employee work arrangement is different due to the COVID-19 pandemic. For future years, the bill would put in place a standardized 30-day bright-line test, making it easier for employees to know when they are liable for non-resident state income taxes and for employers to know which states they need to withhold payroll taxes. 

What do you need to do?

With or without legislation, the year-end income tax filings and information gathering will be very different for tax year 2020. It’s more important than ever for business owners to have proper record keeping on where their employees are working on a day-to-day basis. This information is crucial in determining potential tax exposure and identifying a strategy to mitigate it. The Remote and Mobile Worker Relief Act would provide needed guidance and restore some sense of tax compliance normalcy.

If you would like more information, or have a question about your specific situation, please contact your BerryDunn tax consultant. We’re here to help.
 

Blog
The remote worker during COVID-19: Tax nexus and the new normal

Read this if you are a state Medicaid or CHIP agency.

The Centers for Medicare & Medicaid Services (CMS) has temporarily suspended all Payment Error Rate Measurement (PERM) improper payment-related engagement/communication and data requests to providers and state agencies as a result of the COVID-19 nationwide public health emergency declaration. 

CMS has also adopted a temporary policy of relaxed enforcement regarding activities related to Medicaid Eligibility Quality Control (MEQC) until further notice.

CMS continues to provide state Medicaid and Children’s Health Insurance Program (CHIP) agencies with a number of methods to assist in each state’s approach and response to the COVID-19 pandemic. Some flexibilities offered to state Medicaid and CHIP agencies include:

  • Eligibility and enrollment 
  • Benefits 
  • Cost-sharing 
  • Financing 
  • Managed care 

While this has been communicated with state Medicaid and CHIP agencies, you should take some important steps to manage these flexibilities to ensure you don’t encounter issues when PERM and MEQC review activities resume. Reviews are conducted according to state and federal policies and regulations in force at the time of service on the sampled claims under review. 

CMS has issued guidance to identify whether or not each of the flexibilities requires an approved state plan amendment (SPA), waiver, or whether simply providing documentation in the individual case file will provide the required support when PERM and MEQC activities resume. 

Additionally, it is equally important to ensure the “pre-COVID” processes and procedures resume immediately upon expiration of the public health emergency declaration in order to remain in compliance with state and federal regulations. 

Here are a few key considerations to help reduce the number of errors identified once PERM resumes:

  • Management of new state-specific policies and procedures in effect during the COVID-19 pandemic is critical. You need to ensure all processes requiring CMS approval or notification have been enacted and that these temporary processes revert back to pre-COVID processes immediately upon termination of the public health emergency.
  • Continued training and guidance to Medicaid and CHIP staff during this time to ensure understanding of expectations and adherence to new processes. Applying and understanding eligibility and enrollment flexibilities for both members and providers is vital to meet all expectations and documentation requirements.

New updates continue to be announced by CMS to ensure Americans have access to the care they need during this time. This requires remaining diligent to the expectations of these flexibilities and preparing for the impact of PERM and MEQC outcomes when these activities resume. This is key to reducing improper payment error rates. 

For additional detailed information regarding the identified flexibilities above, please refer to the PERM cycle preparation tool we have prepared.

If you have questions regarding relaxed requirements or you would like to have an in-depth conversation with our PERM experts, please contact the team.
 

Blog
PERM is suspended―key considerations during COVID-19 

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

The new fact sheet from CMS provides state and local governments that may be developing alternate care sites with information on how to receive payments for acute inpatient and outpatient care through federal programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).

CMS notes that it is easiest for an existing enrolled hospital or health system to obtain payments through CMS programs for covered health care services furnished at the ACS by treating the ACS as a short-term extension of their current ‘brick-and-mortar’ facilities. 

State and local governments that want to build a hospital ACS have three options if they wish to be paid by CMS for providing covered hospital inpatient and outpatient services:

  1. Transfer operation and billing for care delivered in the ACS to a hospital or health system which is enrolled
  2. Enroll the ACS as a new hospital in CMS programs
  3. As an alternative, instead of making facility payments, enrolled physicians or other non-physician practitioners may bill for covered services that they furnish at the ACS

CMS guidance to states on implementing the optional COVID-19 testing group 

CMS has provided new guidance to states who may be planning to implement the Optional COVID-19 Testing Group, which was established by the Families First Coronavirus Response Act (FFCRA) for uninsured individuals in order to furnish COVID-19 testing and associated services.

  • The guidance from CMS outlines the different requirements connected with implementing the uninsured group, inclusive of eligibility and enrollment, data reporting, and claims. 
  • The guidance also describes flexibilities available to help states achieve implementation of the new group and strategies to meet related requirements. 
  • For more information related to the eligibility requirements and the Federal Medical Assistance Percentage (FMAP) available for coverage, states can also refer to Section B of the FFCRA and Coronavirus Aid, Relief, and Economic Security (CARES) Act Frequently Asked Questions (FAQs) posted April 13, 2020.

CMS announces enhanced enforcement actions based on nursing home COVID-19 data and inspection results

Earlier in the month of June, CMS released new guidelines related to enforcement for nursing homes who may have violations of infection control practices.

  • CMS intends to apportion $80 million in CARES Act funding to states in order to increase infection control surveys. With CARES Act funding, states will be required to carry out on-site surveys of nursing homes with previous COVID-19 outbreaks, in addition to nursing homes with newly confirmed cases.
  • CMS will make technical assistance available in support of this effort through Quality Improvement Organizations (QIOs) for nursing homes to assist in establishing best practices for infection control.
  • States are required to submit 100% of focused surveys of their nursing homes to CMS by July 31, 2020. It should be noted that submission delays may result in reductions to a state’s Cares Act allocation for FFY 2021.

HHS announces 45-day compliance deadline extension for providers

On May 22, The Department of Health and Human Service (HHS) announced a 45-day extension to the deadline for providers who are receiving payments from the Provider Relief Fund to accept the necessary terms and conditions of the payments.

  • Should providers wish to keep funds—which may have been automatically dispersed—they must agree to the terms and conditions of the Provider Relief Fund.
  • In order to support impacted facilities there is $50 billion in available COVID-19 relief funding for distribution to providers that bill for Medicare beneficiaries.
  • The announcement from HHS gives providers 90 days from the original receipt date of a payment to accept the terms and conditions.  Alternatively, providers may choose to return the funds.

HHS announces $4.9 billion distribution to nursing facilities impacted by COVID-19

HHS has announced it has begun the distribution of additional relief funds to Skilled Nursing Facilities (SNFs) in order to address ongoing needs related to COVID-19. Such needs include labor, improving testing capacity, and obtaining personal protective equipment as well as additional expenses specifically linked to the COVID-19 pandemic.

  • HHS intends to make the fund distributions to SNFs on both a fixed and variable basis. 
  • Each eligible SNF will receive a fixed dissemination of $50,000 in addition to an allotment of $2,500 per bed. All certified SNFs with six or more certified beds will be eligible for this distribution.
  • Recipients of these funds must attest that they will use Provider Relief Fund payments for allowed purposes under the terms and conditions as well as agree to comply with future audit and reporting requirements.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
CMS releases new guidance on Alternate Care Sites, the optional COVID-19 testing group, and more

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, and Governmental Accounting Standards Board (GASB) Statement No. 87, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB and GASB recognize the significant impact COVID-19 has had on commercial businesses, state and local governments, and not-for-profits and both have proposed delays in effective dates for various accounting standards, including both lease standards.

But wait, there’s more! In response to feedback FASB received during the comment period for the lease standard, the revenue recognition standard has also been extended. We didn’t see that coming, and expect that many organizations that didn’t opt for early adoption will breathe a collective sigh of relief.

FASB details and a deeper dive

On May 20, 2020, FASB voted to delay the effective date of the lease standard and the revenue recognition standard. A formal Accounting Standards Update (ASU) summarizing these changes will be released early June. Here’s what we know now:

  • Revenue recognition―for entities that have not yet issued financial statements, the effective date of the application of FASB Accounting Standards Codification (ASC) Topic 606, Revenue Recognition, has been delayed by 12 months (effective for reporting periods beginning after December 15, 2019). This does not apply to public entities or nonpublic entities that are conduit debt obligors who previously adopted this guidance.
  • Leases―for entities that have not yet adopted the guidance from ASC 842, Leases, the effective date has been extended by 12 months (effective for reporting periods beginning after December 15, 2021).
  • Early adoption of either standard is still allowed.

FASB has also provided clarity on lease concessions that are highlighted in Topic 842. 

We recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. 

FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document, Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

GASB details

On May 8, 2020, GASB issued Statement No. 95, Postponement of the Effective Dates of Certain Authoritative Guidance. GASB 95 extends the implementation dates of several pronouncements including:
•    Statement No. 84, Fiduciary Activities―extended by 12 months (effective for reporting periods beginning after December 15, 2019)
•    Statement No. 87, Leases―extended by 18 months (effective for reporting periods beginning after June 15, 2021)

More information

If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.
 

Blog
May 2020 accounting standard delay status: GASB and FASB

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Blog
User Acceptance Testing: A plan for successful software implementation

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Blog
COVID-19 consulting resources

Read this if you are at a state Medicaid agency or CHIP agency.

CMS has posted additional Frequently Asked Questions (FAQs) to Medicaid.gov, to aid state Medicaid and Children’s Health Insurance Program (CHIP) agencies in their response to the coronavirus disease 2019 (COVID-19) pandemic.

These new FAQs have been integrated into the previously released COVID-19 FAQ document. The new FAQs cover a variety of Medicaid and CHIP topics, including:

  • Emergency Preparedness and Response
  • Eligibility and Enrollment Flexibilities
  • Benefit Flexibilities
  • Cost-Sharing Flexibilities
  • Financing Flexibilities  
  • Managed Care Flexibilities
  • Information Technology  
  • Data Reporting

Updated CMS processes for reviewing 2021 contracts between states and Medicare Dual Eligible Special Needs Plans (D-SNPs)

CMS has issued a reminder to states of the upcoming submission deadline for the Contract Year (CY) 2021 contracts with Medicare Advantage Dual Eligible Special Needs Plans (D-SNPs). The due date for D-SNPs to submit to CMS their CY 2021 contracts with the state Medicaid agencies is July 6, 2020.

  • CMS encourages state Medicaid agencies to review the November 14, 2019 Informational Bulletin that describes new requirements for CY 2021 D-SNP contracts, which CMS finalized in rulemaking to implement new statutory provisions of the Bipartisan Budget Act (BBA) of 2018.
  • The Integrated Care Resource Center (ICRC) continues to provide technical assistance to states to help with the implementation of these new requirements. CMS and ICRC have a number of important resources for states regarding the new requirements for contracts with D-SNPs. Additional resources for states can be found here.
  • As a result of COVID-19, CMS is extending the review and approval timelines to allow D-SNPs more time to work with states on the new CY 2021 requirements. As a result, D-SNPs will have until November 2, 2020 to resubmit revised state Medicaid agency contracts or contract amendments.

CMS announces rule changes to support healthcare workforce augmentation

CMS has taken steps to limit or remove potential barriers for hiring and retaining physicians, nurses, and other healthcare professionals in order to keep staffing levels high at healthcare facilities.

  • In response to the need for in-home services during the COVID-19 crisis, nurse practitioners, clinical nurse specialists, and physician assistants can now provide home health services. These changes are effective for both Medicare and Medicaid.
  • Prior to this, Medicare and Medicaid home health member were only able to receive home health services with the certification of a physician. 
  • Physicians and other practitioners whose privileges are expiring will be able to continue taking care of patients. Consistent with a change made for hospitals, CMS is waiving a requirement for ambulatory surgery centers to periodically reappraise medical staff privileges during the COVID-19 emergency declaration. 

Interim Final Rule Updating Requirements for Notification of Confirmed and Suspected COVID-19 Cases Among Residents and Staff in Nursing Homes 

CMS has issued a memo along with frequently asked questions which address the new requirement that nursing homes and long term care facilities report COVID-19 facility data to the Centers for Disease Control and Prevention (CDC).

  • CMS will be requiring nursing homes to report COVID-19 facility data to the CDC and to residents, their representatives, and families of residents in facilities. 
  • CMS has updated the COVID-19 Focused Survey for Nursing Homes, Entrance Conference Worksheet, COVID-19 Focused Survey Protocol, and Summary of the COVID-19 Focused Survey for Nursing Homes to reflect COVID-19 reporting requirements. 
  • CMS will begin posting data from the CDC National Healthcare Safety Network (NHSN) for viewing by facilities, stakeholders, or the general public. The COVID-19 public use file will be available on https://data.cms.gov/.
     

Increase hospital capacity - CMS Hospitals Without Walls

On April 30, CMS announced expansions of the Hospitals Without Walls initiative, granting flexibility for services to be provided outside of traditional venues.

  • CMS is encouraging the use of existing flexibilities that allow outpatient hospital services to be delivered outside of traditional settings, such as at expansion locations, converted hotels or parking lots, or patients’ homes.
  • Certain outpatient departments that relocate off-site can qualify to be paid under the Outpatient Prospective Payment System (OPPS), rather than the Physician Fee Schedule.
  • Hospitals may relocate outpatient departments to more than one off-campus location, or partially relocate while still furnishing care at the original site.
  • As part of the CARES Act, long-term acute-care hospitals can now accept patients from any acute-care hospital and be paid at a higher Medicare rate.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Additional Medicaid & CHIP COVID-19 FAQs

Read this if you are in administration at a college or university.

Colleges and universities have been working around the clock to convert their in-person academic programming to online learning and to quickly disburse grant funding to students in line with broad eligibility requirements, all while adjusting to their own new work environments. In the search for funding in a time when many institutions are refunding student payments at unexpected and unprecedented levels, many institutions have found themselves ineligible for the Payroll Protection Program (PPP) offered under the CARES Act if the federal work study students were included in the employee count. In a welcome change, a recent interim final rule issued by the US Small Business Administration (SBA) has been released that will change the eligibility criteria for the emergency relief offered under the PPP. One of the most notable changes in the interim rule will allow colleges and universities to exclude federal work study students in determining their eligibility. 

Student workers have historically counted as employees under SBA programs. This temporary change would provide relief for many small institutions, whose federal work study programs would otherwise drive up their employment pool over the 500 employee threshold and exclude them from participation in the PPP. While federal work study positions fill important roles throughout many campus facilities, this interim final rule recognizes the primary function of a federal work study program is to provide financial aid for students attending school and is incidental to the role of the student on campus. As expected, as these positions are mostly federally funded, the interim final rule excludes these expenditures in determining the available loan amount under the PPP.

These changes are consistent with other areas of existing federal law, as noted in the interim final rule, these workers are already generally exempt from other federal employment requirements, like Federal Unemployment taxes. In order to allow for swift action, the interim final rule is effective immediately upon posting to the federal register.

We’re here to help.
For more information, or if you have questions about your specific situation, please contact the higher education consulting team.

Blog
Federal Work-Study (FWS) excluded from PPP eligibility determination

Read this if you are a leader at a state Medicaid agency.

Leveraging Medicaid to support and fund state efforts
In infectious disease control and prevention, contact tracing is the process of identifying people who may have come into contact with an infected person and tracking with whom the infected person has been in contact. The intent is to halt the chain of transmission. State Medicaid Agencies (SMAs) may be able to leverage the Medicaid program to support state efforts with systems, training, and reimbursement for contact tracing. 

What is contact tracing?
Tracing the contacts of infected individuals throughout a community, testing their contacts for infection, and treating and quarantining the disease when it is found is a long-standing practice to address infectious diseases. While contact tracing may not be a service that is reimbursable by Medicaid, it may be possible for Medicaid to cover a broader package of services designed to slow the spread of COVID-19.

Contact tracing has three major components:

  1. Contact identification—Confirmation of an individual’s infection is the first step. Once identified, it is essential to identify any additional people with whom that person came into contact, including family, co-workers, community members, etc.
  2. Contact tracing—After conducting a complete review of the individual's contacts, outreach begins to inform them of their contact status and discuss critical next steps, starting with testing.
  3. Contact follow-up—Continued follow-up with identified contacts helps prevent the spread of infection by monitoring spread and/or additional symptoms.

Public health experts maintain that contact tracing is one of the tools needed to manage the pandemic. Medicaid can play a key role in supporting systems, training, and reimbursement for contact tracing. This is enabled through Medicaid’s unique role as a significant payer in the healthcare system, along with its role as a government partnership between federal and state governments. In addition, acting to implement contact tracing may offer an opportunity to increase employment at a time when the economy has shed countless jobs. 

Systems and training: Medicaid support for health IT system
To support contact tracing, Medicaid agencies can leverage 75% or 90% federal match or Federal Financial Participation (FFP) for the systems, training, and equipment. This match is applicable for the Medicaid population, while the remainder likely needs to be cost-allocated to other state programs. Activities that can qualify include:

  • Design, development, and installation (DDI) of Medicaid solutions. The Centers for Medicare and Medicaid Services (CMS) may allow this funding to apply to data-tracking systems or changes to support new reimbursement models. 
  • Provider outreach and training related to systems operation, such as training on claims submissions, claims processing, and eligibility inquiries related to case management and care coordination.
  • Training of vendor or state personnel directly engaged in the operation of an approved system, including workers processing claims or determining eligibility.

To obtain this type of funding, states must submit an advanced planning document (APD). 

Reimbursement: Services and authority options for contact tracing
For Medicaid to support contact tracing, SMAs need to identify both state plan services and authority to provide the service. Defining a service and authority may be challenging, as contact tracing is historically a public health intervention and not a medical service that directly benefits a Medicaid member. CMS does not typically allow this type of service under Medicaid. Given the flexibility afforded under current disaster declarations, however, CMS may have more flexibility than usual. Some options for services include: 

Case management

  • How it works 
    First, an individual tests positive and contact-tracing interviews occur. Then, a healthcare provider, such as a hospital, reaches out to the individual, facilitates testing and education, delivers results, and follows up for any care needed. This process applies to any Medicaid members or other individuals who have private insurance that is identified. The provider can discharge the member from case management once the individual recovers. Case management as a Medicaid service is unique in that a diagnosis requiring medical management is the impetus for providing the service.
  • Federal approval rationale
    Hospitals may be a good partner for this service due to CMS’s Hospital Without Walls guidance. If the hospital partners with the Public Health Entity for contact tracing, then the case management piece could—in theory—be billed by the staff providing case management through the hospital. The hospital would also be able to bill for testing and lab, care, etc. Public Health could track where there is capacity through the medical community for treatment, especially hospital beds, ventilators, and alternative testing sites. The case manager providing coordination of care for COVID-19 testing and treatment would have access to the hospital medical record system, and the hospital could bill for the service.

Health home

  • How it works
    A health home under the state plan could also serve as a vehicle for services for this population. To better care for Medicaid members with chronic conditions, the Affordable Care Act created an optional Medicaid state plan benefit to coordinate care. Health homes are designed to integrate all physical and behavioral healthcare. Participation in health homes is voluntary. In order for members to participate, they must possess at least one chronic condition (e.g., high blood pressure, asthma, obesity, diabetes, or any serious chronic condition) and be at risk for a second (e.g., COVID-19).
  • Federal approval rationale
    The health home may be a good support model, as it is eligible for FFP of 90% for the first two years—likely long enough to respond to the pandemic—making it economically attractive. 

The most flexible potential authority for a Medicaid agency to use for contact tracing is the 1115 waiver. As part of the Medicaid Disaster Response Toolkit, CMS made expedited review available. In addition, State Medicaid Director Letter (SMDL) #20-002 provides guidance on a new section 1115 waiver available to assist states in addressing the COVID-19 public health emergency. 

Section 1115 demonstration waiver
The 1115 waiver is the most dynamic option available, and states can access it through the 1115 disaster waiver option under the Medicaid toolkit. The state may be able to show that providing contact tracing will result in savings for services billed under Medicaid. These savings may be able to be justified by decreasing the number of people who test positive for the virus, leading to budget neutrality. The budget neutrality model would need to show “with” and “without waiver” scenarios that demonstrate to Medicaid the cost of the spread of the virus with and without contact tracing. A challenge to this approach is the time necessary to develop the waiver and budget neutrality model and gain CMS approval. 

Recently, CMS approved one of these new section 1115 waivers for the state of Washington. While Washington did not request to cover contact tracing, the speed of approval and the fact that CMS has indicated for the pandemic 1115 requests states will not be required to submit budget neutrality calculations, is a positive indicator for states to consider in envisioning creative models for leveraging Medicaid to minimize the impacts of COVID-19. 

Next steps

  • Check in with your CMS contacts. COVID-19 is new, and America’s response continues to evolve. Check in with your CMS contact for input on the latest guidance that may be applicable to your agency. 
  • Develop an APD. Develop your state’s APD to help fund the technology needs for tracking COVID-19, along with training for your SMA team and providers. 
  • Determine services. In partnership with CMS, determine if case management, a health home, or other service makes the most sense for your state to help trace contacts, reduce the spread of COVID-19, and encourage employment in this important work. 
  • Submit your waiver for state plan amendment. After working with CMS to determine the service that makes sense for your state, develop and submit the request to provide this service through a 1115 waiver, 1135 waiver, or if necessary, emergency state plan amendment. 

We’re here to help
If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
Contact tracing for COVID-19: What it is and how Medicaid can use it

Read this if you are a tax-exempt organization.

The IRS recently issued proposed regulations (REG-106864-18) related to Internal Revenue Code Section 512(a)(6), which requires tax-exempt entities to calculate unrelated business taxable income (UBTI) separately for each unrelated trade or business carried on by the organization.

For years beginning after December 31, 2017, exempt organizations with more than one unrelated trade or business are no longer permitted to aggregate income and deductions from all unrelated trades or businesses when calculating UBTI. In August 2018, the IRS issued Notice 2018-67, which discussed and solicited comments regarding various issues arising under Code Section 512(a)(6) and set forth interim guidance and transition rules relating to that section. 

The good news
The new proposed regulations expand upon Notice 2018-67 and provide for the following:

  • An exempt organization would identify each of its separate unrelated trades or businesses using the first two digits of the NAICS code that most accurately describes the trade or business. Activities in different geographic areas may be aggregated.
  • The total UBTI of an organization with more than one unrelated trade or business would be the sum of the UBTI computed with respect to each separate unrelated trade or business (subject to the limitation that UBTI with respect to any separate unrelated trade or business cannot be less than zero). 
  • An exempt organization with more than one unrelated trade or business would determine the NOL deduction allowed separately with respect to each of its unrelated trades or businesses.
  • An organization with losses arising in a tax year beginning before January 1, 2018 (pre-2018 NOLs), and with losses arising in a tax year beginning after December 31, 2017 (post-2017 NOLs), would deduct its pre-2018 NOLs from total UBTI before deducting any post-2017 NOLs with regard to a separate unrelated trade or business against the UBTI from such trade or business. 
  • An organization's investment activities would be treated collectively as a separate unrelated trade or business. In general, an organization's investment activities would be limited to its:
     
    1. Qualifying partnership interests
    2. Qualifying S corporation interests
    3. Debt-financed property or properties 

Organizations described in Code Sec. 501(c)(3) are classified as publicly supported charities if they meet certain support tests. The proposed regulations would permit an organization with more than one unrelated trade or business to aggregate its net income and net losses from all of its unrelated business activities for purposes of determining whether the organization is publicly supported. 

The missing news: Unaddressed items from the new guidance
With the changes provided by these proposed regulations we anticipate less complexity and lower compliance costs in applying Code Section 512(a)(6). While this new guidance is considered taxpayer friendly, the IRS still has more work to do. Items not yet addressed include:

  • Allocation of expenses among unrelated trade or businesses and between exempt and non-exempt activities.
  • The ordering rules for applying charitable deductions and NOLs.
  • Net operating losses as changed under the CARES Act.

The IRS is requesting comments on numerous key situations. Until the regulations are finalized, organizations can rely on either these proposed regulations, Notice 2018-67, or a reasonable good-faith interpretation of Code Sections 511-514 considering all the facts and circumstances.
We will keep you informed with the latest developments.

If you have any questions, please contact the not-for-profit consulting team

Blog
IRS unrelated business taxable income update: The good news and the missing news

Editor's note: Read this if you are a leader in higher education.

The Department of Education has released guidance to colleges and universities on how the CARES Act grants to institutions, under the Higher Education Emergency Relief Fund (HEERF), may be used. The guidance comes in the form of answers to frequently asked questions, which we recommend institutions read before accepting the funds. Some key answers included in the document:

  1. A school has to participate in the HEERF funding to be used for grants to students to get the institutional share.
  2. Schools can use these funds to cover the costs of refunds for room and board provided as a result of campus closure.
  3. These funds can be used to make additional emergency financial aid grants to students impacted by campus closure.

We urge schools to retain supporting documentation of the proper use of these funds to allow for a compliance audit, should that be required. 

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
The Higher Education Emergency Relief Fund (HEERF): Guidelines

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB recognizes the significant impact COVID-19 has brought to commercial businesses and not-for-profits and is proposing a one-year delay in implementation, as described in this article posted to the Journal of Accountancy: FASB effective date delay proposals to include private company lease accounting.

But what about lease concessions? We all recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document,  Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

Implementation of the lease accounting standard will most likely be delayed for Governmental Accounting Standards Board (GASB) entities as well. On April 15, 2020, the GASB issued an exposure draft that would delay most GASB statements and implementation guides due to be implemented for fiscal years 2019 and later. Most notably, this includes Statement 84, Fiduciary Activities, and Statement 87, Leases. Comments on the proposal will be accepted through April 30, and the board plans to consider a final statement for issuance on May 8. More information may be found in this article from the Journal of Accountancy: GASB proposes postponing effective dates due to pandemic.

More information

Whether you are a FASB or GASB entity, you can expect a delay in the implementation of the lease standard. If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.

Blog
FASB and GASB news: Postponement of the lease accounting standards

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

New toolkit launches to help states navigate COVID-19 health workforce challenges 

In order to maximize workforce flexibility to help confront COVID-19, CMS and the Assistant Secretary of Preparedness and Response (ASPR) have released a new toolkit to assist state and local healthcare decision makers. The toolkits are available as a set of resource collections including:

Our team will be taking a closer look at these resource collections in the coming week and plan to have detailed information on the opportunities within.

Compliance flexibilities announced for implementation of interoperability final rules due to COVID-19

CMS and the Office of the National Coordinator for Health IT (ONC), in conjunction with the Health and Human Services (HHS) Office of Inspector General (OIG), have announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules previously announced on March 9, 2020.

  • Announced in March, the Interoperability and Patient Access final rule (CMS-9115-F) is focused on the pursuit of interoperability and patient access to health information.
  • CMS-regulated payers, including Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, and CHIP managed care entities are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows members access their claims and encounter information, as well as provider directory information available through third-party applications of their choice.
  • Due to the public health emergency posed by COVID-19, CMS is exercising the “enforcement discretion” to adopt a temporary policy of relaxed enforcement for the final rule.

CMS releases additional blanket waivers for Long-Term Care Hospitals (LTCHs), Rural Health Clinics (RHCs), Federally Qualified Health Centers (FQHCs) and intermediate care facilities

CMS is providing additional blanket waivers related to care for patients in LTCHs, temporary expansion locations of RHCs and FQHCs, staffing and training modifications in intermediate care facilities for individuals with intellectual disabilities, and the limit for substitute billing arrangements (locum tenens).

  • The new flexibilities do not require a waiver or any requests be sent to CMS electronically or any other notification to CMS regional offices.
  • The guidance includes flexibilities related to provider location, staffing, reporting requirements, discharge, patient rights and other areas regulated by CMS.
  • The blanket waiver authority exercised by CMS in this case applies only to federal requirements and does not apply to state requirements for licensure or conditions of participation.

State of Washington COVID-19-related section 1115(a) demonstration approval

Washington’s approval is the first section 1115(a) demonstration specifically intended to combat the effects of COVID-19 in a state.

  • CMS authorized a time-limited approval for several of the requests in Washington’s March 24, 2020 section 1115(a) demonstration with a retroactive effective date of March 1, 2020 through 60 days after the public health emergency declaration.
  • CMS approved two waiver authority requests, as well as six expenditure authority requests from Washington’s section 1115(a) demonstration. 
  • CMS did not require the state to submit budget neutrality calculations for the Washington COVID-19 section 1115(a) demonstration. 

CMS issues guidance allowing Independent Freestanding Emergency Departments (IFEDs) to provide care to Medicare and Medicaid beneficiaries during the COVID-19 Public Health Emergency

CMS issued guidance On April 21, 2020 which allows licensed IFEDs in the states of Colorado, Delaware, Rhode Island, and Texas to temporarily provide care to Medicare and Medicaid patients to address any surge.

  • IFEDs generally offer a range of services including basic imaging services, computed tomography (CT) scans, ultrasound, and basic on-site laboratory services. During this public health emergency these entities can temporarily bill Medicare and Medicaid as a certified hospital.
  • CMS is waiving certain conditions of participation for hospital operations to maximize patient care capabilities during this public health emergency. IFEDs may participate in Medicare and Medicaid in one of three ways: 
     
    • Becoming affiliated with a Medicare/Medicaid-certified hospital under the temporary expansion 1135 emergency waiver; 
    • Participating in Medicaid under the clinic benefit if permitted by the state; or
    • Enrolling temporarily as a Medicare/Medicaid-certified hospital to provide hospital services.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS launches toolkits, releases guidance, and loosens some restrictions to help states and others address COVID-19

Editor's note: Read this if you are a leader in higher education.

The Department of Education (ED) has released the first round of guidance to colleges and universities, with more detail to begin issuing much-needed emergency funding grants to students from the Higher Education Emergency Relief Fund (HEERF), provided as part of the CARES Act.

The guidance clarifies a variety of questions about the portion of the funding to be used for emergency financial aid grants to students, most notably:

  • These funds cannot be used to fund room and board refunds.
  • These funds cannot be used to cover overdue student bills at the institution.
  • Only students eligible to participate in Title IV programs may receive emergency financial aid grants. Students who have not filed a FAFSA but who are eligible to file a FAFSA may receive emergency financial aid grants.

A broader summary from NASFAA can be found here.

While not specifically addressed in this guidance, the HEERF has been provided a CFDA number which leads our team to believe there is a good likelihood these funds will be included in some fashion under the Uniform Guidance compliance audits. We urge schools to retain adequate documentation from their decision making process to allow for a compliance audit, should that be required. We anticipate additional guidance on the HEERF will be forthcoming as schools begin to award the grants to students.

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
Update from ED on CARES Act grants to students

As resources are released to help higher education institutions navigate the rapidly changing landscape, we will add important links and information to this blog post:

Industry resources:
US Department of Education (ED)

Guidance for colleges:

Guidance on leases:
FASB and GASB news: Postponement of the lease accounting standards

We are here to help
Please contact the BerryDunn higher education team if you have any questions, or would like to discuss your specific situation.

Blog
Resources for higher education institutions affected by COVID-19

Read this if you are a not-for-profit looking to learn more about tax filing deadlines.

State of New Hampshire: If your organization has a December 31 year-end, your annual report filing with the Charitable Trusts Unit and related payment are still due by May 15. If you are not ready to file, you may file Form NHCT-4 for an extension by May 15. If your organization has a June 30 year-end, you may email the State Attorney General to ask for additional time to July 15.

April 24, 2020, UPDATE: Commonwealth of Massachusetts: The Massachusetts Attorney General’s office has extended the Form PC filing requirement. All filing deadlines for annual charities filings for fiscal year 2019 have been extended by six months. This extension is in addition to the automatic six month extension that many not-for-profits receive. In addition, original signatures, photocopies of signatures, and e-signatures (e.g., DocuSign) will be accepted.

On April 9, 2020, the Internal Revenue Service (IRS) issued Notice 2020-23, its third round of tax filing relief guidance, which amplifies relief set forth in previously issued IRS notices providing relief to taxpayers affected by COVID-19. Notice 2020-23 also provides additional time to perform certain other actions. The Notice holds the special distinction of being the first to provide specific relief to not-for-profit organizations with return filing and tax payment obligations due between April 1 and July 15, 2020. The details are highlighted below:

Tax deadline extended to July 15, 2020
The Notice explicitly states that Form 990-T tax payment and filing obligations due during the period between April 1 and July 15 will be automatically extended to July 15, 2020. Additionally, Form 990-PF (and associated tax payments) as well as quarterly Federal estimated tax payments remitted via Form 990-W are also explicitly noted and are granted an extension to July 15.
    
While this is certainly good news, the more eagerly anticipated news is the Notice also includes “Affected Taxpayers” who are required to perform “Specified Time-Sensitive Actions” referenced in Revenue Procedure 2018-58. The Revenue Procedure specifically mentions exempt organizations as “Affected Taxpayers” required to perform “specified time-sensitive actions”—one such action being the filing of Form 990.

In summary (with the combined power of the Notice and Revenue Procedure), any entity with a Form 990, Form 990-EZ, Form 990-PF, Form 990-T, Form 990-W estimated tax filing requirement, Form 1120-POL or Form 4720 filing obligation due between April 1 and July 15, 2020 now have until July 15, 2020 to file. Needless to say this is very welcome news for an industry that like so many others, is being pushed to the brink during this turbulent and difficult time.

Additional extensions
Notice 2020-23 (with reference to Revenue Procedure 2018-58) also extends the due date of certain forms, notices, applications, and other exempt organization activities due between April 1 and July 15, 2020, until July 15, 2020 as noted below: 

  • Community health needs assessments (CHNAs) and Implementation Strategies
  • Application for Recognition of Exemption (Forms 1023 and 1024) 
  • Section 501(h) Elections and Revocations (Form 5768)
  • Information Return of US Persons with Respect to Certain Foreign Corporations (Form 5471)
  • Political Organization Notices and Reports (Forms 8871 and 8872)
  • Notification of Intent to Operate as a Section 501(c)(4) Organization (Form 8976) 

We are here to help
Please contact the BerryDunn not-for-profit tax team if you have any questions, or would like to discuss your specific situation.

Blog
Not-for-profit May 15 tax deadline extended

Read this if you work at a public health department and would like a brief summary of how you can maximize funding and meet new federal requirements.

Unpacking the trillions

In response to the COVID-19 pandemic, several pieces of legislation were passed by congress and signed into law. The three bills, H.R. 6074 Coronavirus Preparedness and Response Supplemental Appropriations Act, H.R. 6201 Families First Coronavirus Response Act, and H.R. 748 Coronavirus Aid, Relief, and Economic Security (CARES) Act, have provided funding for various federal agencies with different roles in responding to the crisis. Because of the urgency required, much of the guidance for use of funds and reporting requirements were released after passage of the bills or have yet to be released.

Here is a brief timeline and summary of the acts:

Implication and next steps for state public health departments

While little guidance has been provided for how state public health departments should prepare to access federal funds, BerryDunn will continue to monitor and release updates as they become available. 

While at this point HR 6074 has the greatest implications for public health departments, here are some actions that states should take now for their public health programs from the recent legislation:

  1. H.R. 6074: Provides appropriations to the CDC to be allocated to states for COVID-19 expenses.
    • To ensure maximum funding, prepare a spend plan to submit to CDC.
    • To ensure compliance, provide CDC with copies or access to COVID-19 data collected with these funds.
    • To maximize the impact of new funding, develop a COVID-19 community intervention plan.
    • To support streamlined operations, submit revised work plans to CDC.
    • To prevent missed deadlines, submit any requests for deadline extensions to the CDC.
  2. H.R. 6201: Provides guidance specific to the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) programs.
    • To encourage social distancing and loosen administrative requirements, seek waivers through the USDA’s Food and Nutrition Service (FNS).
    • To ensure compliance, prepare to submit a report summarizing the use of waivers on population outcomes by March 2021.
  3. H.R. 748: Allocates $150 billion to a coronavirus relief fund for state, local, and tribal governments.
  • To secure funding, monitor the US Department of Health & Human Services (HHS) for guidance on using funds for:
    • Coronavirus prevention and preparation
    • Tools to build health data infrastructure
    • COVID-19 Public Health Emergency expenses
    • Developing countermeasures and vaccines for coronavirus
    • Telehealth and rural health activities
       
  • To ensure HIPAA compliance when sharing protected patient health information, monitor the US Department of Health & Human Services (HHS) for guidance.

For more information

For specific issues your agency has, or if you have other questions, please contact us. We’re here to help. 

Blog
COVID-19 laws and their impact on state public health agencies

Read this if you are a leader at a state Medicaid agency.

CMS has delivered nearly  $34 billion, later updated to $51 billion, in the past week to the healthcare providers on the frontlines battling the 2019 novel coronavirus

  • The process in which CMS is implementing requests has reduced times of an accelerated or advance payment to four to six days. Previously the timeframe was three to four weeks. 
  • To date, CMS has received over 25,000 requests from providers and suppliers for accelerated and advance payments. Of these, CMS has approved over 17,000 requests in the past week. 
  • It should be noted that this funding is separate and distinct from the $100 billion provided in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

CMS issues new wave of infection control guidance based on CDC guidelines to protect patients and healthcare workers 

CMS has issued a series of updated guidance documents focused on infection control to prevent the spread of COVID-19 in a variety of inpatient and outpatient care settings.

  • The updated guidance includes a number of updates, notably the option of providing home dialysis training and support services. These are designed to help some dialysis patients stay home during the pandemic.
  • In particular, the guidance includes the establishment of Special Purpose Renal Dialysis Facilities (SPRDFs), which can allow dialysis facilities to isolate vulnerable or infected patients.
  • For hospitals, psychiatric hospitals and CAHs, the updated guidance provides recommendations on screening and visitation restrictions, discharge to subsequent care locations, as well as staff screening and testing.

CMS acts to ensure US healthcare facilities can maximize frontline workforces to confront COVID-19 crisis 

CMS has temporarily suspended a number of rules in order for hospitals, clinics, and other healthcare facilities to boost their frontline medical staffs.

The CMS guidance focuses on reducing supervision and certification requirements so that practitioners can both be hired rapidly and perform work to the extent of their licensure. CMS guidance allows the following:

  • Doctors can now directly care for patients in certain settings without having to be physically present.
  • Nurse practitioners may now perform some medical exams on Medicare patients at skilled nursing.

CMS approves additional state Medicaid waivers and amendments to give states flexibility to address coronavirus pandemic

CMS continues to deliver regulatory relief to a number of new states in the form of waivers and state plan amendments.

  • In total, CMS has now approved 49 emergency 1135 waivers, 26 state amendments, seven COVID-19 related Medicaid disaster amendments and the first CHIP COVID-related disaster amendment
  • The COVID-related Children’s Health Insurance Program (CHIP) disaster amendment is for the State of Maine. 
  • CMS has now approved COVID-related Medicaid disaster state plan amendments for North Dakota, Rhode Island, and Wyoming.

HHS authorizes licensed pharmacists to order and administer COVID-19 tests

On April 8, HHS released new guidance under the Public Readiness and Emergency Preparedness Act that authorizes licensed pharmacists to order and administer FDA-approved COVID-19 tests.

  • The guidance allows pharmacists to order and administer COVID-19 tests to their patients will provide easier access to testing and will expand testing for healthcare workers and first responders. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS approves over $51 billion for providers with the accelerated/advance payment program for Medicare providers

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Blog
Social distancing case study: Hosting remote vendor demonstrations

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Blog
The three P's of improving your company's cybersecurity soft skills

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Read this if you are an IT Leader, CMO, CNO, CFO, or COO in a healthcare setting that may be looking at offering telehealth services.

Adopting telehealth technology is happening rapidly in response to social distancing and the strain that COVID-19 is putting on health systems. In response to this strain and with focus on "flattening the curve" by improving access amid a torrent of temporarily closed provider offices, some state and federal restrictions on telehealth have been lifted with the passage of the CARES Act.  

So, now, the question is not if your organization should implement telehealth services but how do you do it rapidly, effectively, holistically, and with an eye on wide-spread adoption?  

Telehealth is a bit more complex than other services, because it requires a patient to be able to use technology and follow through on provider advice―without physical discussion and interaction. Taking the time with your clinicians to increase their comfort using the technology can help put your patients at ease during this uncertain time while maintaining the clinician-patient relationship. Here are things to consider to become effective with telehealth programs:

  1. Identify purpose and goals. Do you want to expand access, support more patients, improve outcomes, support social distancing, or have further geographic reach? All of the above? 
  2. Choose an approach. Use existing technology within your EHR or use a third party solution.
  3. Test the solution. Check connectivity, devices (iPhone vs Android), and patient skill level.
  4. Camera placement is important. Making sure the patient can see the provider will be important for patients.
  5. Practice with a colleague and an open mind. Develop confidence and help foster patient trust. 
  6. Be adaptable to this being different. As this is new for all parties, showing patience and maintaining calm goes a long way to help ease patient worry.
  7. Consider and plan for the patient’s technical ability, or lack thereof. Be prepared to help troubleshoot minor technical barriers or utilize alternative processes without hampering the clinical encounter. 
  8. Look directly into the camera. Helps establish and maintain the patient-provider relationship. 
  9. Document in real time. Complete good notes, as the volume of telehealth visits and lack of physical proximity to the patient will make it more challenging to remember details later. 
  10. Develop “how to” content for your staff. This will help front line staff explain what the patient should expect before the visit and will outline clear follow up procedures, should there be any technical issues.

Once you have the more technical pieces planned, the keys to success will be testing technology and workflow and embracing the change. As we know, it doesn’t take much for a vulnerable patient to lose ground. Now is the time to expand your reach, lower costs, improve outcomes, improve relationships, show adaptability, sustain progress, and send healthcare directly into the home.

We are here to help
If you have any questions about your specific needs, please contact the healthcare consulting team.

Blog
How to effectively implement telehealth services

Editor's note: read this if you are a leader in higher education. 

The Department of Education’s Office of Postsecondary Education posted an Electronic Announcement on April 3, 2020, to provide an update to the policy and operational guidance issued in March as a result of the COVID-19 pandemic national emergency. 

In addition to extending the March 5, 2020 guidance to apply to payment periods or terms beginning between March 5, 2020 and June 1, 2020, the Department has confirmed the temporary closure will not result in loss of institutional eligibility or participation. A few other changes to note:

  • Leaves of absence due to COVID-19-related concerns or limitations (such as interruption of a travel-abroad program) can be requested after the date the leave has begun.
  • Updates to the academic calendar requirements will allow institutions to offer courses on a schedule that would otherwise cause the program to be considered a non-standard term if it allows students to complete the term.
  • Calculated expected family contribution amounts will exclude from income any grants or low-interest loans received by victims of an emergency from a federal or state entity as part of the needs analysis.

One trend that continues to permeate the Department’s guidance is for institutions to document, as contemporaneously as possible, actions taken as a result of COVID-19 (including professional judgment decisions, on a case-by-case basis). 

The Department will be issuing more guidance on the impact of the CARES Act on R2T4 calculations, satisfactory academic progress requirements, the extension of the single audit by the Office of Management and Budget, and the potential impact to future FISAP filings. We highly recommend you read the full announcement as it outlines a wide variety of important details. 

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.


 

Blog
COVID-19: Department of Education operational guidance

Read this if you are a leader at a state Medicaid agency.

Here is a summary of information we have gleaned from the Center for Medicare and Medicaid Services (CMS) Administrator Verma’s recent call.

CMS is implementing new rules and waivers that increase provider flexibility and free up resources to deal with a surge in COVID-19 patients. CMS is working with the provider community to provide clarity around specific changes that impact their operations.

  • The rulemaking process has been dramatically expedited to accommodate recent and forthcoming regulatory changes
  • CMS is in the process of working out details to administer CARES Act provisions, including further regulatory flexibilities, expansion of accelerated payment program, and $100 billion appropriated to reimburse eligible health care providers
  • CMS clarifies that the 3-Day Rule Waiver for skilled nursing facilities applies throughout the country and to all patients, regardless of their COVID-19 status

Medicaid Substance Use Disorder Treatment via Telehealth, and Rural Health Care and Medicaid Telehealth Flexibilities Guidance

This informational bulletin is composed of two parts: Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder Treatment via Telehealth.

  • The informational bulletin identifies opportunities for telehealth delivery for services to increase access to Medicaid services. It is composed of two parts, Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder (SUD) Treatment Services Furnished via Telehealth
  • The bulletin provides SUD guidance around Medication Assisted Treatment (MAT), counseling, high risk populations, and other areas critical to providing SUD services.

Long-Term Care Nursing Homes Telehealth and Telemedicine Tool Kit

CMS is issuing an electronic toolkit regarding telehealth and telemedicine for Long Term Care Nursing Home Facilities.

  • The toolkit includes electronic links to sources of information regarding telehealth and telemedicine, including the changes made by CMS over the last week in response to the national health emergency.
  • Much of the toolkit’s information is intended for providers who may wish to establish a permanent telemedicine program, but there is information here that will help in the temporary deployment of a telemedicine program as well.
  • There are specific documents identified that may be useful in choosing telemedicine vendors, equipment, and software, initiating a telemedicine program, monitoring patients remotely, and developing documentation tools. 


CMS makes regulatory changes to help US healthcare system address COVID-19 patient surge

CMS has issued a number of temporary regulatory waivers and new rules to assist the nation’s healthcare system with improved flexibility.

  • Increased hospital capacity. CMS will allow communities to take advantage of local ambulatory surgery centers that have canceled elective surgeries, per federal recommendations.
  • Healthcare workforce expansion. CMS’s temporary requirements allow hospitals and healthcare systems to increase their workforce capacity by removing barriers for physicians, nurses, and other clinicians to be readily hired from the local community as well as those licensed from other states without violating Medicare rules.
  • Paperwork requirements. CMS is temporarily eliminating paperwork requirements.
  • Telehealth in Medicare. CMS will now allow for more than 80 additional services to be furnished via telehealth.

Additional COVID-19 FAQs for state Medicaid and Children's Health Insurance Program (CHIP) agencies

CMS released an update to the COVID-19 FAQs posted on March 18, 2020 related to emergency preparedness and response, eligibility and enrollment flexibilities, benefit flexibilities, cost sharing flexibilities, financial flexibilities, managed care flexibilities, fair hearing flexibilities, health information exchange flexibilities, and COVID-19 T-MSIS coding guidance. Notably:

  • States that have CHIP disaster provisions in their state plans can activate these provisions. CMS considers a significant outbreak of an infectious disease to be a disaster. CMS also recommends that states that do not have disaster relief provisions in their CHIP state plans include language that a federal- or governor-declared emergency is considered an event that can trigger the disaster provisions.

States may not suspend use of their AVS, however CMS reminds states that they can rely on self-attestation of assets and verify financial assets using their AVS post-enrollment in Medicaid.

  • CMS can help provide technical assistance regarding approaches states can use to rapidly scale telehealth technologies.
  • CMS clarified and provided COVID-19 T-MSIS coding guidance.

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Takeaways from CMS national stakeholder call

Per CMS, all state Medicaid agencies, including territories, are eligible for the increased Federal Medical Assistance Percentage (FMAP), provided they adhere to the conditions outlined in the Families First Coronavirus Response Act (FFCRA). 

Key takeaways:

  • The increase in FMAP will be retroactive to January 1, 2020 and will be available to state Medicaid agencies through the end of the quarter in which the public health emergency for COVID-19 ends.
  • This guidance answers some of the following questions for states, including:
    • How long the funding will be available and when it begins
    • What costs are matchable under the enhanced funding 
    • The specific conditions under which states are eligible to claim the funds 
    • What documentation and processes will be needed in order to gain full access to funding

Trump administration releases COVID-19 checklists and tools to accelerate relief for state Medicaid & CHIP programs

In order to assist states as part of the COVID-19 outbreak, the Trump administration has released a number of tools and checklists that constitute a federal authority toolkit to support states in applying for and receiving federal waivers and other key flexibilities for their program. 

Key takeaways:
The tools released today include:

CMS issues FAQs on catastrophic health coverage and the coronavirus

A catastrophic health plan may not provide coverage of an essential health benefit prior to an enrollee meeting the deductible for that plan. In order to clarify treatment and coverage of COVID-19 for catastrophic health plans CMS has issued Frequently Asked Questions (FAQs).

Key takeaways:

  • Catastrophic plans currently include coverage for the diagnosis and treatment of COVID-19 as they must cover the essential health benefits (EHB) as required by the Patient Protection and Affordable Care Act (PPACA).
  • Issuers of catastrophic plans will be able to provide coverage for the diagnosis and treatment of COVID-19 for enrollees who have not yet met their deductible without CMS taking enforcing action.
  • The FAQ document encourages states to take an enforcement approach and CMS does not “consider a state to have failed to substantially enforce section 1302(e) of the PPACA if it takes such an approach.”

Relief for clinicians, providers, hospitals, and facilities participating in quality reporting programs in response to COVID-19

CMS is granting exceptions from reporting requirements and extensions for clinicians and providers participating in Medicare quality reporting programs.  

Key takeaways:

  • The exceptions include pending dates for measure reporting and data submission for related programs. 
  • For data submission deadlines in April and May of 2020, submission of those data will be optional, based on the facility’s choice to report.
  • 2019 data submission
    • Deadline extended from March 31, 2020 to April 30, 2020.
    • Deadlines for October 1, 2019 - December 31, 2019 (Q4) 
    • Data submission is optional for inpatient rehabilitation and hospital-acquired conditions.

CMS releases telehealth toolkits for general practitioners and End-Stage Renal Disease (ESRD) providers

CMS has released two toolkits on telehealth which follow the broadened access to Medicare telehealth services under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • The toolkit consists of electronic links to sources of information pursuant to telehealth and telemedicine. 
  • Generally directed towards providers, particularly ones who may be considering a permanent telemedicine program.
  • CMS notes that most of the resources were established prior to the current COVID-19 crisis. As a result, there are likely references to rules and regulations whose requirements may have been waived for the duration of the outbreak.

Toolkits:

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
New guidance regarding enhanced Medicaid funding for states

Here is a summary of information we have gleaned from recent CMS updates and guidance. 

COVID-19 stakeholder call - March 16 

CMS held a National Stakeholder Call on March 16, 2020 to update the healthcare community on the rapidly evolving COVID-19 situation, which was declared a national emergency by President Trump on March 13, 2020.

Key takeaways:

  • Administrator Verma reaffirmed the goal of reducing administrative barriers in the way of healthcare workers and agencies and to support them as best CMS is able.
  • Acknowledging that there were questions on testing, Administrator Verma outlined that there will be a ramp-up in testing in conjunction with state and local governments. 
  • CMS is relaxing clinician enrollment requirements for Medicare and making the same option available to states in their Medicaid programs.
  • The administration has been clear that it wants agencies to focus on infection control efforts. CMS is designing a streamlined template to evaluate infection control.
  • CMS sends guidance to Programs of All-Inclusive Care for the Elderly (PACE) Organizations.

On March 17, 2020, CMS issued guidance to all Programs of All-Inclusive Care for the Elderly (PACE) Organizations (POs) on accepted policies and standard procedures with respect to infection control.

Key takeaways:

  • POs will need to create, apply, and sustain a documented infection control plan that involves procedures to recognize, examine, regulate, and avert infections in PACE centers
  • POs will need to work to prevent infections within each participant’s place of residence, as well as implement procedures to record and develop corrective actions related to incidents of infection.
  • CMS provides guidance that recognizes POs may need to undertake strategies that do not traditionally comply with CMS PACE program requirements in order to provide benefits while guarding from COVID-19. Some examples of this may include telehealth services.
  • President Trump expands telehealth benefits for Medicare beneficiaries during COVID-19 outbreak.

CMS is expanding Medicare’s telehealth benefits under the 1135 waiver authority and the Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • Under the new 1135 waiver, Medicare can pay for office, hospital, and other visits provided via telehealth across the country and including in patient’s place of residence starting March 6, 2020. 
  • Medicare telehealth visits: These visits are considered the same as in-person visits and are paid at the same rate as regular, in-person visits.
  • Virtual check-ins: Virtual check-in services can only be reported when the billing practice has an established relationship with the member.  
  • E-visits: Such services can only be reported when the billing practice has an established relationship with the patient.  

CMS coronavirus partner virtual toolkit

CMS has released a virtual toolkit to help stakeholders stay up-to-date on CMS materials available on COVID-19. Here is specific guidance from the toolkit designed for states and health plans:

CMS approves first state request for 1135 Medicaid waiver in Florida and Washington

The 1135 waiver allows Florida and Washington to modify certain Medicaid program requirements, policies, operational procedures, and deadlines applicable to each state’s administration of its Medicaid program during the period of the national state of emergency to prevent further transmission of COVID-19. 

Key takeaways from Florida’s waiver

  • Provider participation flexibilities for Medicaid and CHIP Waiver of Service Prior Authorization (PA) Requirements for fee-for-service delivery systems
  • Waiver for Pre-Admission Screening and Annual Resident Review (PASRR) Level II Level II Assessments for 30 Days
  • Waiver to allow evacuating facilities to provide services in alternative settings, such as a temporary shelter when a provider’s facility is inaccessible
  • Waiver to temporarily delay scheduling for state fair hearing requests and appeal deadlines (NOTE: CMS was unable to waive all of Florida’s requested authorities in this area)

If you have questions or would like more information, we are here to help. Please contact us

Blog
CMS update for the healthcare community: Our takeaways

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Blog
Internal audit potential for not-for-profit organizations

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

  • Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
  • Capital levels have reached historical highs.
  • Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
  • Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
  • There is continued weakness in residential and commercial real estate loan growth.
  • Delinquent and nonperforming loans remain below their long-term averages.


Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team

Blog
Banking and finance: 2020 challenges and what to do to overcome them

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

On October 24, 2019, the Centers for Medicaid and Medicare Services (CMS) published the Outcomes-Based Certification (OBC) guidance for the Electronic Visit Verification (EVV) module. Now, CMS is looking to bring the OBC process to the rest of the Medicaid Enterprise. 

The shift from a technical-focused certification to a business outcome-focused approach presents a unique opportunity for states as they begin re-procuring—and certifying—their Medicaid Enterprise Systems (MES).

Once you have defined the scope of your MES project—and know you need to undertake CMS certification—you need to ask “what’s next?” OBC can be a more efficient certification process to secure Federal Financial Participation (FFP).

What does OBC certification entail?

Rethinking certification in terms of business outcomes will require agencies to engage business and operations units at the earliest possible point of the project development process to define the program goals and define what a successful implementation is. One way to achieve this is to consider MES projects in three steps. 

Three steps to OBC evaluation

Step 1: Define outcomes

The first step in OBC planning seems easy enough: define outcomes. But what is an outcome? To answer that, it’s important to understand what an outcome isn’t. An outcome isn’t an activity. Instead, an outcome is the result of the activity. For example, the activity could be procuring an EVV solution. In this instance, an outcome could be that the state has increased the ability to detect fraud, waste, and abuse through increased visibility into the EVV solution.

Step 2: Determine measurements

The second step in the OBC process is to determine what to measure and how exactly you will measure it. Deciding what metrics will accurately capture progress toward the new outcomes may be intuitive and therefore easy to define. For example, a measure might simply be that each visit is captured within the EVV solution.

Increasing the ability to detect fraud, waste, and abuse could simply be measured by the number of cases referred to a Medicaid fraud unit or dollars recovered. However, you may not be able to easily measure that in the short-term. Instead, you may need to determine its measurement in terms of an intermediate goal, like increasing the number of claims checked against new data as a result of the new EVV solution. By increasing the number of checked claims, states can ensure that claims are not being paid for unverified visits. 

Step 3: Frequency and reporting

Finally, the state will need to determine how often to report to measure success. States will need to consider the nuances of their own Medicaid programs and how those nuances fit into CMS’ expectations, including what data is available at what intervals.

OBC represents a fundamental change to the certification process, but it’s important to highlight that OBC isn’t completely unfamiliar territory. There is likely to be some carry-over from the certification process as described in the Medicaid Enterprise Certification Toolkit (MECT) version 2.3. The current Medicaid Enterprise Certification (MEC) checklists serve as the foundation for a more abbreviated set of criteria. New evaluation criteria will look and feel like the criteria of old but are likely to be a fraction of the 741 criteria present in the MECT version 2.3.

OBC offers several benefits to states as you navigate federal certification requirements:

  1. You will experience a reduction in the amount of time, effort, and resources necessary to undertake the certification process. 
  2. OBC refocuses procurement in terms of enhancements to the program, not in new functions. Consequently, states will also be able to demonstrate the benefits that each module brings to the program which can be integral to stakeholder support of each module. 
  3. Early adoption of the OBC process can allow you to play a more proactive role in certification efforts.

Continue to check back for a series of our project case studies. Additionally, if you are considering an OBC effort and have questions, please contact our team. You can read the OBC guidance on the CMS website here
 

Blog
Three steps to outcomes-based certification

Editor's note: Read this if you are a CTO, CIO, or administrator at a college or university. This is the first blog in a series on business lessons and best practices from American literature. For this series, interviewees select from a list of American literary quotes through which to view, and discuss, their focus or industry. The goal? To generate some novel insight.

The interviewees: David Houle and Joseph Traino, consultants at BerryDunn
The focus: Higher education
The quote: “Our inventions are wont to be pretty toys . . . They are but improved means to an unimproved end.”  -- Henry David Thoreau, Walden; or, Life in the Woods

Thoreau wrote this shortly after the Industrial Revolution. How does its cynicism apply to higher education during the Digital Revolution?

David Houle (DH): It speaks to my basic philosophy about applying technology to the needs of higher education clients. I’m not a “technology for the sake of technology” cheerleader. 

Joseph Traino (JT): People often believe that applying new technology to a business problem is going to solve the business problem. That rarely happens. For example, most higher education clients have a student information system. These clients often feel that, in order to resolve certain issues, they should update the system software, whereas the issues are often resolved by updating business practices to be more efficient and effective. 

DH: Right. We are often brought in to identify needed technology changes but end up stressing practices, processes, and people. If staff can’t correctly use a new technology, then the technology will not provide a real, valuable service.

When implementing a new technology, what’s the #1 thing that a higher education institution can do to prevent or avoid “an unimproved end”?

JT: Fully understand the technology’s impact on stakeholders, such as students, faculty, and staff, and answer the “why?”

DH: Keep people in mind and gain their buy-in when making technology decisions.

What technology, or technology-related change, is going to have the biggest effect on higher education over the next five years?

DH: Clients love to ask us this question (laughs). And if I truly knew the answer, I’d be on some Caribbean island right now, filthy rich and sipping a piña colada. That said, I think the technology demands of the new workforce are going to have the biggest effect. To paraphrase the new workforce: “I don’t want to stare at a green screen. And what in the world is DOS?” Conversely, the personnel who used to support these homegrown, in-house “green screen” products want to retire and leave the workforce. 

JT: I agree that the demands of the new workforce will continue to affect higher education and steer institutions away from term-based courses and programs and toward more flexible, student-centric courses and programs. From a technology standpoint, I think AI and bots are going to replace many of the manual processes that we still see today in higher education. These new technologies will create greater efficiencies—but also possibly reduce jobs—at institutions.

DH: Higher education leaders with vision have already grasped this idea of cutting administrative costs wherever possible, because those costs are not what place students in seats—or in front of screens. On the flip side, advising is currently an underserved area in higher education. So there is an opportunity for leaders to reallocate administrative resources to fulfill advising roles and to help students—such as at-risk and first-generation students—not just in the classroom, but through their learning journey.

Circling back to the Thoreau quote, I’m sure many higher education staff fear technology will lead to “unimproved ends” for their careers. How do you navigate those fears when working with clients? 

JT: It’s certainly a challenge. We currently face some of those fears when working with IT departments—more services are being moved to the cloud, and there is less of a need for on-site database administrators and system administrators, as an example. Alluding to what Dave said about advising, I think many higher education jobs can be shifted to provide interactive high-tech, high-touch services to students.

DH: And to be blunt, some people don’t want to shift, don’t want to change. The people part is the most challenging part of technology adoption. 

In this discussion about technology, we keep returning to people—and the people side of change. Are higher education clients typically responsive to the concept of change management?

JT: There’s typically some reticence, and a lack of understanding about the value of change management. In most cases, change management requires an investment beyond the technology investment. But change management is key to success. 

DH: Reticence is a good word. Yet I do think that views about change management are changing rapidly. Higher education leaders who have been through a significant system or process change now seem to understand the value of change management and know that change management is a necessity, not a luxury. 

In the end, are you confident that new technology is going to benefit students and their educational goals? 

DH: I’m unsure if technology improves the quality of education. However, I am sure that technology increases the options for the delivery of education. And greater flexibility in education delivery is certainly beneficial, especially because the traditional student is now non-traditional. Ongoing and 24/7 access demands in education are here to stay.

JT: I agree with Dave wholeheartedly. I think technology will help improve the means to the end, but I’m not sure if technology is going to improve the end. Technology is just one part of the education equation. 
 

Blog
Technology ≠ Education

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: How state liquor agencies can manage the growing industry

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Phew! We did it—The Medicaid Enterprise Systems Conference (MESC) 2019 is one for the books! And, it was a great one. Here is my perspective on objectives and themes that will guide our work for the year.

Monday 

My day started in the fog—I live on an island in Maine, take a boat to get into Portland, and taxi to the airport. Luckily, I got to Portland, and, ultimately Chicago, on time and ready to go. 

Public Sector Technology Group (PSTG) meeting

At the PSTG meetings, we reviewed activities from the previous year and did some planning for the coming year. Areas for consideration included:

  • Modernization Schedule
  • Module Definitions
  • Request for Proposal (RFP) Requirements
  • National Association of State Procurement Officers

Julie Boughn, Centers for Medicare and Medicaid (CMS) Director, Data and Systems Group (DSG) introduced her new boss, Karen Shields, who is the Deputy Director for the Center for Medicaid and CHIP Services (CMCS) within CMS. Karen shared her words of wisdom and encouragement with us, while Julie reminded us that being successful in our work is about the people. CMS also underscored the goal of speeding up delivery of service to the Medicaid program and asking ourselves: “What is the problem we are trying to resolve?” 

CMS’ “You be the State” officer workshop

Kudos to CMS for creating this open environment of knowledge sharing and gathering input.  Areas for discussion and input included:

  • APD Processes
  • Outcomes-Based Certification
  • Increasing and Enhancing Accountability

Tuesday
Opening Plenary

I was very touched by the Girls Inc. video describing the mission of Girls Inc. to inspire girls to be strong, smart, and bold. With organizations like this, and our awareness and action, I am optimistic for the future. Thank you to NESCSO for including this in their opening program.

John Doerr, author of Measure What Matters: OKRs: The Simple Idea that Drives 10x Growth and famed investor, shared his thoughts on how to create focus and efficiency in what we do. Julie’s interview with him was excellent, and I appreciated how John’s Objectives and Key Results (OKR) process prompted Julie to create objectives for what we are trying to do. The objectives Julie shared with us:

  • Improve the quality of our services for users and other stakeholders 
  • Ensure high-quality data is available to manage the program and improve policy making 
  • Improve procurement and delivery of Medicaid technology projects

Sessions

The sessions were well attended and although I can't detail each specific session I attended, I will note that I did enjoy using the app to guide me through the conference. NESCSO has uploaded the presentations. 

Auxiliary meetings

Whether formal or informal, meetings are one of the big values of the conference—relationships are key to everyone’s success, and meeting with attendees in one-on-one environments was incredibly productive. 

Poster session

The poster sessions were excellent. States are really into this event, and it is a great opportunity for the MESC community to engage with the states and see what is going on in the Medicaid Enterprise space.

Wednesday

Some memorable phrases heard in the sessions:

  • Knowledge is power only if you share it
  • We are in this together and want the same outcomes, so let’s share more
  • Two challenges to partnering projects—the two “P”s—are purchasing and personnel
  • Don’t let perfection be the enemy of the good
  • Small steps matter
  • Sharing data is harder than it needs to be—keep in mind the reason for what you are doing

Our evening social event was another great opportunity to connect with the community at MESC and the view of Chicago was beautiful.

Julie Boughn challenged us to set a goal (objective) in the coming year, and, along with it, to target some key results in connection with that goal. Here are some of her conference reflections:

  • Awesome
    • Several State Program and Policy leaders participated at MESC—impressed with Medicaid Director presence and participation
    • Smaller scoped projects are delivering in meeting the desired improved speed of delivery and quality
    • Increased program-technology alignment
  • Not so awesome
    • Pending state-vendor divorces
    • Burden of checklists and State Self-Assessments (SS-As)—will have something to report next year
    • There are still some attempts at very large, multi-year replacement projects—there is going to be a lot of scrutiny on gaining outcomes. Cannot wait five years to change something.

OKRs and request for states and vendors

  • Objective: Improve the quality of services for our users and other stakeholders
    • Key Result (KR): Through test results and audits, all States and CMS can state with precision, the overall accuracy of Medicaid eligibility systems.
    • KR: 100% of State electronic visit verification (EVV) systems are certified and producing annual performance data.
    • KR: 100% of States have used CMS-required testing guidance to produce testing results and evidence for their eligibility systems.
  • Objective: Ensure high-quality data is available to manage the program and improve policy making
    • KR: Transformed Medicaid Statistical Information System (T-MSIS) data is of sufficient quality that it is used to inform at least one key national Medicaid policy decision that all states have implemented.
    • KR:  Eliminate at least two state reporting requirements because T-MSIS data can be used instead.
    • KR: At least five states have used national or regional T-MSIS data to inform their own program oversite and/or policy-making decisions.
  • Objective: Improve how Medicaid technology projects are procured and delivered
    • KR: Draft standard language for outcomes metrics for at least four Medicaid business areas.
    • KR:  Five states make use of the standard NASPO Medicaid procurement.
    • KR:  CMS reviews of RFPs and contracts using NASPO vehicle are completed within 10 business days.
    • KR:  Four states test using small incremental development phases for delivery of services.
  • Request: Within 30 days, states/vendors will identify at least one action to take to help us achieve at least one of the KRs within the next two years.

Last thoughts

There is a lot to digest, and I am energized to carry on. There are many follow-up tasks we all have on our list. Before we know it, we’ll be back at next year’s MESC and can check in on how we are doing with the action we have chosen to help meet CMS’s requirements. See you in Boston!

Blog
MESC 2019―Reflections and Daily Recap

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

Measuring performance of Medicaid Enterprise Systems (MES) is emerging as the next logical step in moving Medicaid programs toward modularity. As CMS continues to refine and implement outcomes-based modular certification, it is critical that states adapt to this next step in order to continue to meet CMS funding requirements.

This measurement, in terms of program outcomes, presents a unique set of challenges, many of which a state may not have considered before. A significant challenge is determining how and where to begin measuring program outcomes―to meet it, states can leverage a trusted, independent partner as they undertake an outcomes-based effort.

Outcomes-based planning can be thought of as a three-step process. First, and perhaps most fundamental, is to define outcomes. Second, you need to determine what measurements will demonstrate progress toward achieving those outcomes. And the final step is to create reporting measurements and their frequency. Your independent partner can help you answer these critical questions and meet CMS requirements efficiently by objectively guiding you toward realizing your goals.

  1. Defining Outcomes
    When defining an outcome, it is important to understand what it is and what it isn’t. An outcome is a benefit or added value to the Medicaid program. It is not an output, which is a new or enhanced function of a new MES module. An output is the product that supports the outcome. For example, the functionality of a new Program Integrity (PI) module represents an output. The outcome of the new PI module could be that the Medicaid program continuously improves based on data available because of the new PI module. Some outcomes may be intuitive or obvious. Others may not be as easy to articulate. Regardless, you need to direct the focus of your state and solution vendor teams on the outcome to uncover what the underlying goal of your Medicaid program is.
     
  2. Determining Measurements
    The second step is to measure progress. Well-defined Key Performance Indicators (KPIs) will accurately capture progress toward these newly defined outcomes. Your independent partner can play a key role by posing questions to help ensure the measurements you consider align with CMS’ goals and objectives. Additionally, they can validate the quality of the data to ensure accuracy of all measurements, again helping to meet CMS requirements.
     
  3. Reporting Measurements
    Finally, your state must decide how―and how often―to report on outcomes-based measurements. Your independent partner can collaborate with both your state and CMS by facilitating conversations to determine how you should report, based on a Medicaid program’s nuances and CMS’ goals. This can help ensure the measurements (and support information) you present to CMS are useful and reliable, giving you the best chance for attaining modular certification.

Are you considering an outcomes-based CMS modular certification, or do you have questions about how to best leverage an independent partner to succeed with your outcomes-based modular certification effort? BerryDunn’s extensive experience as an independent IV&V and Project Management Office (PMO) partner includes the first pilot outcomes-based certification effort with CMS. Please visit our IV&V and certification experts at our booth at MESC 2019 or contact our team now.

Blog
Three steps to measure Medicaid Enterprise Systems outcomes

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

As CMS moves away from the monolithic Medicaid Management Information System (MMIS) toward an outcomes-based approach that includes a modular Medicaid Enterprise System (MES), there is now more emphasis on system integration (SI). 

In the August 16, 2016 letter, State Medicaid Director (SMD) #16-010, CMS clarified the role of the system integrator (SI) by stating:

CMS envisions a discrete role for the system integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and cohesiveness of the various modules incorporated into the Medicaid enterprise. 

While the importance of the SI role is apparent, not all states have the resources to build the SI capability within their own organizations. Some state Medicaid IT teams try to solve this by delegating management roles to vendors or contractors. This approach has various risks. A state could lose:

  • Institutional knowledge, as vendors and contractors transition off the project
  • Control of governance, oversight, and leadership
  • The ability to enforce contractual requirements across each vendor, especially the SI

In addition, the ramifications of loss of state accountability can have wide-reaching implementation, operational, and financial impacts, including:

  • The loss of timely decision making, causing projects to fall behind schedule
  • State-specific policy needs not being met, impacting how the MMIS functions in production 
  • Poor integration into the state-specific Operation and Maintenance (O&M) support model, increasing the state’s portion of long-term O&M costs
  • Inefficient and ineffective contract management of each module vendor and contractor (including the SI), possibly leading to unneeded change requests and cost overruns
  • Lack of coordination with the state’s business or IT roadmap initiatives (i.e., system consolidation or cloud migration vendor/approach), possibly leading to rework and missed opportunities to reduce cost or improve interoperability 

Apply strong governance and IV&V to tackle risks

Because the SI vendor is responsible for the integration of multiple modules across multiple vendors, you may consider delegating oversight of module vendors to the SI vendor. 

The major benefit states get from using the SI vendor is efficiency. Having your vendor as the central point of contact can quickly resolve technical issues, while allowing easy coordination of project tasks across each module vendor on a continual basis. 

If you choose to use a vendor for the SI role, establish safeguards and governance to make sure your goals are being met:

  • Build a project-specific governance model (executive committee [EC]) to oversee the vendors and the project
  • Establish a regular meeting cadence for the EC to allow for status updates on milestones and discuss significant project risks and issues 
  • Allocate state resources into project leadership roles (i.e., project manager, vendor contract manager, security lead, testing/Quality Assurance lead, etc.)
  • Conduct regular (weekly) SI status meetings to track progress and address risks and issues 

You also need a strong, involved governance structure that includes teams of state senior leadership, state program managers, SI vendor engagement/contract managers, and Independent Verification and Validation (IV&V) vendors. By definition, one responsibility of IV&V is to identify and monitor project risks and issues that could arise from a lack of independence. 

Your governance teams can debate decisions and disputes, risks and issues, and federal compliance issues with their vendors to define direction and action plans. However, a state representative within these teams should always make the final management decisions, approve all SI scope items and changes, and approve all contractual deliverables from each vendor or contractor.

Your state staff (business and IT) provides project management decision, business needs, requirements (functional and non-functional), policy guidance, and continuity as the vendors and/or contractors change over time. 

The conclusion? In order to be successful, you must retain certain controls and expertise to deploy and operate a successful MMIS system. Our consultants understand the need to keep you in control of managing key portions of implementation projects/programs and operational tasks. If you have questions, please contact BerryDunn’s Medicaid team.  
 

Blog
Risks when using vendors to manage Medicaid system implementation projects

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Blog
PERM: Does MEQC affect states?

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

When I was growing up, my dad would leave the Bureau of Motor Vehicles or hang up the phone after talking with the phone company and say sarcastically, “I’m from the government (or the phone company) and I’m here to help you. Yeah, right.” I could hear the frustration in his voice. As I’ve gotten older, I understand the hassle of dealing with bureaucracy, where the red tape can make things more difficult than they need to be, and where customers don’t come first. It doesn’t have to be that way.

In my role performing Independent Verification and Validation (IV&V) at BerryDunn, I hear the same skepticism in the voices of some of my clients. I can hear them thinking, “Let me get this straight… I’m spending millions of dollars to replace my old Medicaid Management Information System (MMIS), and the Centers for Medicare and Medicaid Services (CMS) says I have to hire an IV&V consultant to show me what I am doing wrong? I don’t even control the contract. You’re here to help me? Yeah, right.” Here are some things to assuage your doubt. 

Independent IV&V―what they should do for you and your organization

An independent IV&V partner that is invested in your project’s success can:

  • Enhance your system implementation to help you achieve compliance
  • Help you share best practice experience in the context of your organization’s culture to improve efficiency in other areas
  • Assist you in improving your efficiency and timeliness with project management capabilities.

Even though IV&V vendors are federally mandated from CMS, your IV&V vendor should also be a trusted partner and advisor, so you can achieve compliance, improve efficiency, and save time and effort. 

Not all IV&V vendors are equal. Important things to consider:

Independence―independent vendors are a good place to start, as they are solely focused on your project’s success. They should not be selling you software or other added services, push vendor affiliations, or rubber stamp CMS, nor the state. You need a non-biased sounding board, a partner willing to share lessons learned from experience that will help your organization improve.

Well-rounded perspective―IV&V vendors should approach your project from all perspectives. A successful implementation relies on knowledge of Medicaid policy and processes, Medicaid operations and financing, CMS certification, and project management.

“Hello, we are IV&V from BerryDunn, and we are here to help.”

BerryDunn offers teams that consist of members with complementary skills to ensure all aspects of your project receive expert attention. Have questions about IV&V? Contact our team.
 

Blog
We're IV&V and we are here to help you improve your Medicaid organization

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Blog
PERM: Prepared or not prepared?

As the Project Management Body of Knowledge® (PMBOK®) explains, organizations fall along a structure and reporting spectrum. On one end of this spectrum are functional organizations, in which people report to their functional managers. (For example, Finance staff report to a Finance director.) On the other end of this spectrum are projectized organizations, in which people report to a project manager. Toward the middle of the spectrum lie hybrid—or matrix—organizations, in which reporting lines are fairly complex; e.g., people may report to both functional managers and project managers. 

Problem: Weak Matrix Medicaid System Vendors

This brings us to weak matrix organizations, in which functional managers have more authority than project managers. Many Medicaid system vendors happen to fall into the weak matrix category, for a number of different reasons. Yet the primary factor is the volume and duration of operational work—such as provider enrollment, claims processing, and member enrollment—that Medicaid system vendors perform once they exit the design, development, and implementation (DDI) phase.

This work spans functional areas, which can muddy the reporting waters. Without strong and clear reporting lines to project managers, project success can be seriously (and negatively) affected if the priorities of the functional leads are not aligned with those of the project. And when a weak matrix Medicaid system vendor enters a multi-vendor environment in which it is tasked with implementing a system that will serve multiple departments and bureaus within a state government, the reporting waters can become even muddier.


Solution: Using a Project Management Office (PMO) Vendor

Conversely, consulting firms that provide Project Management Office (PMO) services to government agencies tend to be strong matrix organizations, in which project managers have more authority over project teams and can quickly reallocate team members to address the myriad of issues that arise on complex, multi-year projects to help ensure project success. PMOs are also typically experienced at creating and running project governance structures and can add significant value in system implementation-related work across government agencies.

Additional benefits of a utilizing a PMO vendor include consistent, centralized reporting across your portfolio of projects and the ability to quickly onboard subject matter expertise to meet program and project needs. 
For more in-depth information on the benefits of using a PMO on state Medicaid projects, stay tuned for my second blog in this series. In the meantime, feel free to send your PMO- or Medicaid-related questions to me
 

Blog
The power of the PMO: Fixing the weak matrix

As your organization works to modernize and improve your Medicaid Enterprise System (MES), are you using independent verification and validation (IV&V) to your advantage? Does your relationship with your IV&V provider help you identify high-risk project areas early, or provide you with an objective view of the progress and quality of your MES modernization initiative? Maybe your experience hasn’t shown you the benefits of IV&V. 

If so, as CMS focuses on quality outcomes, there may be opportunities for you to leverage IV&V in a way that can help advance your MES to increase the likelihood of desired outcomes for your clients. 

According to 45 Code of Federal Regulations (CFR) § 95.626, IV&V may be required for Advanced Planning Document (APD) projects that meet specific criteria. That said, what is the intended role and benefit of IV&V? 

To begin, let’s look at the meaning of “verification” and “validation.” The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Standard for Software Verification and Validation (1012-1998) defines verification as, “confirmation of objective evidence that the particular requirements for a specific intended use are fulfilled.” Validation is “confirmation of objective evidence that specified requirements have been fulfilled.” 

Simply put, verification and validation ensure the right product is built, and the product is built right. 
As an independent third party, IV&V should not be influenced by any vendor or software application. This objectivity means IV&V’s perspective is focused on benefiting your organization. This support includes: 

  • Project management processes and best practices support to help increase probability of project success
  • Collaboration with you, your vendors, and stakeholders to help foster a positive and efficient environment for team members to interact 
  • Early identification of high-risk project areas to minimize impact to schedule, cost, quality, and scope 
  • Objective examination of project health in order for project sponsors, including the federal government, to address project issues
  • Impartial analysis of project health that allows state management to make informed decisions 
  • Unbiased visibility into the progress and quality of the project effort to increase customer satisfaction and reduce the risk and cost of rework
  • Reduction of errors in delivered products to help increase productivity of staff, resulting in a more efficient MES 

Based on our experience, when a trusted relationship exists between state governments and IV&V, an open, collaborative dialogue of project challenges—in a non-threatening manner—allows for early resolution of risks. This leads to improved quality of MES outcomes.    

Is your IV&V provider helping you advance the quality of your MES? Contact our team.

Blog
Leveraging IV&V to achieve quality outcomes

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Blog
Trusting privileged accounts in the age of data breaches

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Therefore, it should surprise no one that justice and public safety (J&PS) IT departments should also provide a well-defined set of services. However, these departments are often viewed as parking lots for all technical problems. The disconnect between IT and other J&PS business units often stems from differences in organizational culture and structure, and differing department objectives and goals. As a result, J&PS organizations often experience misperception between business units and IT. The solution to this disconnect and misperception? Defining IT department services.

The benefits of defined IT services

  1. Increased business customer satisfaction. Once IT services align with customer needs, and expectations are established (e.g., service costs and service level agreements), customers can expect to receive the services they agreed to, and the IT department can align staff and skill levels to successfully meet those needs.
  2. Improved IT personnel morale. With clear definition of the services they provide to their customers, including clearly defined processes for customers to request those services, IT personnel will no longer be subject to “rogue” questions or requests, and customers won’t be inclined to circumvent the process. This decreases IT staff stress and enables them to focus on their roles in providing the defined services. 
  3. Better alignment of IT services to organizational needs. Through collaboration between the business and IT organizations, the business is able to clearly articulate the IT services that are, and aren’t, required. IT can help define realistic service levels and associated services costs, and can align IT staff and skills to the agreed-upon services. This results in increased IT effectiveness and reduced confusion regarding what services the business can expect from IT.
  4. More collaboration between IT and the organization. The collaboration between the IT and business units in defining services results in an enhanced relationship between these organizations, increasing trust and clarifying expectations. This collaborative model continues as the services required by the business evolve, and IT evolves to support them.
  5. Reduced costs. J&PS organizations that fail to strategically align IT and business strategy face increasing financial costs, as the organization is unable to invest IT dollars wisely. When a business doesn’t see IT as an enabler of business strategy, IT is no longer the provider of choice—and ultimately risks IT services being outsourced to a third-party vendor.

Next steps
Once a J&PS IT department defines its services to support business needs, it then can align the IT staffing model (i.e., numbers of staff, skill sets, roles and responsibilities), and continue to collaborate with the business to identify evolving services, as well as remove services that are no longer relevant. Contact us for help with this next step and other IT strategies and tactics for justice and public safety organizations.

Blog
The definition of success: J&PS IT departments must define services

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Blog
Data is a four-letter word. Governance is not.

If you’ve been tasked with leading a high-impact project for your organization, you may find managing the scope, budget and schedule is not enough to ensure project success—especially when you encounter resistance to change. When embarking on large-scale change projects spanning people, processes and technology, appointing staff as “coaches” to help support stakeholders through the change—and to manage resistance to the change—can help increase adoption and buy-in for a new way of doing things.

The first step is to identify candidates for the coaching role. These candidates are often supervisory staff who have credibility in the organization—whether as a subject matter expert, through internal leadership, or from having a history of client satisfaction. Next, you need a work plan to orient them to this role. One critical component is making sure the coaches themselves understand what the change means for their role, and have fully committed before asking them to coach others. They may exhibit initial resistance to the change you will need to manage before they can be effective coaches. According to research done by Prosci®, a leading change management research organization, some of the most common reasons for supervisor resistance in large-scale change projects are:

  • Lack of awareness about and involvement in the change
  • Loss of control or negative impact on job role
  • Increased work load (i.e., lack of time)
  • Culture of change resistance and past failures
  • Impact to their team

You should anticipate encountering these and other types of resistance from staff while preparing them to be coaches. Once coaches buy into the change, they will need ongoing support and guidance to fulfill their role. This support will vary by individual, but may be correlated to what managerial skills they already possess, or don’t. How can you focus on developing coaching skills among your staff for purposes of the project? Prosci® recommends a successful change coach take on the following roles:

  • Communicator—communicate with direct reports about the change
  • Liaison—engage and liaise with the project team
  • Advocate—advocate and champion the change
  • Resistance manager—identify and manage resistance
  • Coach—coach employees through the change

One of the initial tasks for your coaches will be to assess the existing level of change resistance and evaluate what resistance you may encounter. Prosci® identifies three types of resistance management work for your coaches to begin engaging in as they meet with their employees about the change:

  • Resistance prevention―by providing engagement opportunities for stakeholders throughout the project, building awareness about the change early on, and reinforcing executive-level support, coaches can often head off expected resistance.
  • Proactive resistance management―this approach requires coaches to anticipate the needs and understand the characteristics of their staff, and assess how they might react to change in light of these attributes. Coaches can then plan for likely forms of resistance in advance, with a structured mitigation approach.
  • Reactive resistance management―this focuses on resistance that has not been mitigated with the previous two types of resistance management, but instead persists or endures for an extended amount of time. This type of management may require more analysis and planning, particularly as the project nears its completion date.

Do you have candidates in your organization who may need support transitioning into coaching roles? Do you anticipate change resistance among your stakeholders? Contact us and we can help you develop a plan to address your specific challenges.

Blog
How to identify and prepare change management coaches

Writing a Request for Proposal (RFP) for a new software system can be complex, time-consuming, and—let’s face it—frustrating, especially if you don’t often write RFPs. The process seems dogged by endless questions, such as:

  • How specific should the problem statement and system requirements be?
  • How can the RFP solicit a response that proves the vendor is qualified?
  • Should the RFP include legal terms and conditions? If so, which ones? 
  • Is there another strategy that can help cut down on size without forfeiting a quality response?

The public RFP process can be onerous for both the issuer and the respondents, as they can reach lengths upwards of 100 pages. And, while your procurement department would probably never let you get away with developing an RFP that is only one page, we know a smaller document requires less labor and time devoted to writing and reading. What if you could create a lean, mean, and focused RFP? Here are some tips for creating such a document: 

Describe the problem as simply as possible. At its core, an RFP is a problem statement—your organization has a particular problem, and it needs the right solution. To get the right solution, keep your RFP laser-focused: adequately but briefly convey your problem and desired outcomes, provide simple rules and guidelines for respondents to submit their proposed solutions, and clarify how you will evaluate responses to make a selection. Additional information can be white noise, making it harder for respondents to give you what you want: easy-to-read and evaluate proposals. Use bullet points and keep the narrative to a minimum.

Be creative and open about how vendors must respond. RFPs often have pages of directions on how vendors need to write responses or describe their products. The most important component is to emphasize vendor qualifications. Do you want to know if the vendor can deliver a quality product? Request sample deliverables from past projects. Also ask for the number of successful past projects, with statistics on the percent deviation to client schedule, budget, including explanations for large variances. Does your new system need to keep audit trails and product billing reports? Rely on a list of pass/fail requirements and then a separate table for nice-to-have or desired functionalities.

Save the legal stuff until the end. Consider including legal terms and conditions as an attachment instead of in the body of an RFP. If you’re worried about compliance, you can require respondents to attest in writing that they found, read, and understand your terms and conditions, or state that by responding to the RFP they have read and agreed to them. State that any requested deviations can be negotiated later to save space in the RFP. You can also decrease length by attaching a glossary of terms. What’s more, if you find yourself including language from your state’s procurement manual, provide a link to the manual itself instead.

Create a quality template to save time later. Chances are your organization has at least one RFP template you use to save time, but are you using that template because it gets you the best responses, or because you’re in the habit of using it? If your answer is the latter, it may be to time review and revise those old templates to reflect your current business needs. Maybe the writing style can be clearer and more concise, or sections combined or reordered to make the RFP more intuitive.

Qualify providers in advance and reduce the scope. Another time-saver is a pre-qualification, where solution providers propose on an RFP focused primarily on their experience and qualifications. Smaller statements of work are then issued to the qualified providers, allowing for shorter drafting, response, and award timelines. If procurement rules allow, break the procurement up into a requests for information (RFI) and then a smaller RFP.

Need additional RFP assistance?
A simplified RFP can reduce long hours needed to develop and evaluate responses to RFPs, while vendors have more flexibility to propose the solutions you need. To learn more about how BerryDunn’s extensive procurement experience can help your organization develop effective RFPs.
 

Blog
The one-page RFP: How to create lean, mean, and focused RFPs

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Blog
Higher education and blockchain 101: It's not just for bitcoin anymore

Your government agency just signed the contract to purchase and implement a shiny new commercial off-the-shelf (COTS) software to replace your aging legacy software. The project plan and schedule are set; the vendor is ready to begin configuration and customization tasks; and your team is eager to start the implementation process.

You are, in a word, optimistic. But here comes the next phase of the project—the gap analysis, in which your project team and the vendor’s project team test the new software to see how well it fulfills your requirements. Spending sufficient time and energy on the gap analysis increases the likelihood the resulting software is configured to support the desired workflows and processes of the agency, while taking advantage of the software’s features and benefits. Yet this phase can be stressful because it will identify some gaps between what you want and what the software can provide.

While some of the gaps may be resolved by simple adjustments to software configuration, others may not—and can result in major issues impacting project scope, schedule, and/or cost. How do you resolve these major gaps?

Multiple Methods. Don’t let your optimism die on the vine. There are, in fact, multiple ways to address major gaps to keep you on schedule and on budget. They include:

Documenting a change request through a formal change control process. This will likely result in the vendor documenting the results of the new project scope. This, in turn, may impact the project’s schedule and cost. It promotes best practice by formally documenting approved changes to project scope, including any impact on schedule and cost. However, the change request process may take longer than you may originally anticipate, as it includes:

Documenting the proposed change
Scoping the change, including the impact on cost and schedule
Review of the proposed scope change with the project team and vendor
Final approval of the change before the vendor can begin work

Collaborating with the vendor on a solution that fits within the confines of the selected software. With no actual customization required, this may result in a functionality compromise, and may also involve compromise by the project team and the vendor. However, it does not require a formal process to document and approve a change in scope, schedule or cost, since there are no impacts on these triple constraints.

Collaborating with the vendor and internal project stakeholders to redefine business processes. This may or may not result in a change request. It also promotes best practice, as the business processes become more efficient, and are supported by the selected software product without customization. This will require a focus on organizational change management, since the resulting processes are not reflective of the “way things are done today.”

Accepting the gap—and doing nothing. If the gap has little or no impact on business process efficiency or effectiveness, this method is likely the least impactful on the project, as there are no changes to scope, schedule, or cost. However, the concept of “doing nothing” to address the gap may have the same organizational change ramifications as the previous point.

Of course, there are other methods for addressing major software gaps. The BerryDunn team brings experience in facilitating discussions with agencies and their vendors to discuss gaps, their root causes, and possible solutions. We leverage a combination of project management discipline, organizational change management qualifications, and deep expertise to help clients increase the success likelihood for COTS software implementations—while maintaining their vital relationships with vendors.

Blog
Grappling with software gaps

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. What can coaches do? The answer: be prepared, be patient, and be PR savvy. Business managers should keep these three P’s in mind as they read Chapter 8 in BerryDunn’s Cybersecurity Playbook for Management, which highlights how organizations can recover from incidents.

In the last chapter, we discussed incident response. What’s the difference between incident response and incident recovery?

RG: Incident response refers to detecting and identifying an incident—and hopefully eradicating the source or cause of the incident, such as malware. Incident recovery refers to getting things back to normal after an incident. They are different sides of the same resiliency coin.

I know you feel strongly that organizations should have incident response plans. Should organizations also have incident recovery plans?

RG: Absolutely. Have a recovery plan for each type of possible incident. Otherwise, how will your organization know if it has truly recovered from an incident? Having incident recovery plans will also help prevent knee-jerk decisions or reactions that could unintentionally cover up or destroy an incident’s forensic evidence.

In the last chapter, you stated managers and their teams can reference or re-purpose National Institute of Standards and Technology (NIST) special publications when creating incident response plans. Is it safe to assume you also suggest referencing or re-purposing NIST special publications when creating incident recovery plans?

RG: Yes. But keep in mind that incident recovery plans should also mesh with, or reflect, any business impact analyses developed by your organization. This way, you will help ensure that your incident recovery plans prioritize what needs to be recovered first—your organization’s most valuable assets.

That said, I should mention that cybersecurity attacks don’t always target an organization’s most valuable assets. Sometimes, cybersecurity attacks simply raise the “misery index” for a business or group by disrupting a process or knocking a network offline.

Besides having incident recovery plans, what else can managers do to support incident recovery?

RG: Similar to what we discussed in the last chapter, managers should make sure that internal and external communications about the incident and the resulting recovery are consistent, accurate, and within the legal requirements for your business or industry. Thus, having a good incident recovery communication plan is crucial. 

When should managers think about bringing in a third party to help with incident recovery?

RG: That’s a great question. I think this decision really comes down to the confidence you have in your team’s skills and experience. An outside vendor can give you a lot of different perspectives but your internal team knows the business. I think this is one area that it doesn’t hurt to have an outside perspective because it is so important and we often don’t perceive ourselves as the outside world does. 

This decision also depends on the scale of the incident. If your organization is trying to recover from a pretty significant or high-impact breach or outage, you shouldn’t hesitate to call someone. Also, check to see if your organization has cybersecurity insurance. If your organization has cybersecurity insurance, then your insurance company is likely going to tell you whether or not you need to bring in an outside team. Your insurance company will also likely help coordinate outside resources, such as law enforcement and incident recovery teams.

Do you think most organizations should have cybersecurity insurance? 

RG: In this day and age? Yes. But organizations need to understand that, once they sign up for cybersecurity insurance, they’re going to be scrutinized by the insurance company—under the microscope, so to speak—and that they’ll need to take their “cybersecurity health” very seriously.

Organizations need to really pay attention to what they’re paying for. My understanding is that many different types of cybersecurity insurance have very high premiums and deductibles. So, in theory, you could have a $1 million insurance policy, but a $250,000 deductible. And keep in mind that even a simple incident can cost more than $1 million in damages. Not surprisingly, I know of many organizations signing up for $10 million insurance policies. 

How can managers improve internal morale and external reputation during the recovery process?

RG: Well, leadership sets the tone. It’s like in sports—if a coach starts screaming and yelling, then it is likely that the players will start screaming and yelling. So set expectations for measured responses and reactions. 

Check in on a regular basis with your internal security team, or whoever is conducting incident recovery within your organization. Are team members holding up under pressure? Are they tired? Have you pushed them to the point where they are fatigued and making mistakes? The morale of these team members will, in part, dictate the morale of others in the organization.

Another element that can affect morale is—for lack of a better word—idleness resulting from an incident. If you have a department that can’t work due to an incident, and you know that it’s going to take several days to get things back to normal, you may not want department members coming into work and just sitting around. Think about it. At some point, these idle department members are going to grumble and bicker, and eventually affect the wider morale. 

As for improving external reputation?I don’t think it really matters, honestly, because I don’t think most people really, truly care. Why? Because everyone is vulnerable, and attacks happen all the time. At this point in time, cyberattacks seem to be part of the normal course and rhythm of business. Look at all the major breaches that have occurred over the past couple of years. There’s always some of immediate, short-term fallout, but there’s been very little long-term fallout. Now, that being said, it is possible for organizations to suffer a prolonged PR crisis after an incident. How do you avoid this? Keep communication consistent—and limit interactions between employees and the general public. One of the worst things that can happen after an incident is for a CEO to say, “Well, we’re not sure what happened,” and then for an employee to tweet exactly what happened. Mixed messages are PR death knells. 

Let’s add some context. Can you identify a business or group that, in your opinion, has handled the incident recovery process well?

RG: You know, I can’t, and for a very good reason. If a business or group does a really good job at incident recovery, then the public quickly forgets about the incident—or doesn’t even hear about it in the first place. Conversely, I can identify many businesses or groups that have handled the incident recovery process poorly, typically from a PR perspective.

Any final thoughts about resiliency?

RG: Yes. As you know, over the course of this blog series, I have repeated the idea that IT is not the same as security. These are two different concepts that should be tackled by two different teams—or approached in their appropriate context. Similarly, managers need to remember that resiliency is not an IT process—it’s a business process. You can’t just shove off resiliency responsibilities onto your IT team. As managers, you need to get directly involved with resiliency, just as you need to get directly involved with maturity, capacity, and discovery. 

So, we’ve reached the end of this blog series. Above all else, what do you hope managers will gain from it? 

RG: First, the perspective that to understand your organization’s cybersecurity, is to truly understand your organization and its business. And I predict that some managers will be able to immediately improve business processes once they better grasp the cybersecurity environment. Second, the perspective that cybersecurity is ultimately the responsibility of everyone within an organization. Sure, having a dedicated security team is great, but everyone—from the CEO to the intern—plays a part. Third, the perspective that effective cybersecurity is effective communication. A siloed, closed-door approach will not work. And finally, the perspective that cybersecurity is always changing, so that it’s a best practice to keep reading and learning about it. Anyone with questions should feel free to reach out to me directly.

Blog
Incident recovery: Cybersecurity playbook for management

State governments regularly negotiate contracts with vendors. Unfortunately, these negotiations are often prolonged, which can have major downstream effects on projects, procurements, and implementations—including skewed timelines, delayed milestones, and increased costs. Here are five suggestions for shortening contract negotiations. 

  1. Limit project scope. Leaner project scope equals shorter contract negotiations. Conversely, the sheer number of requirements, terms, and conditions for larger projects naturally inflate negotiations. Limiting scope means being conservative in what you are looking to achieve. Planning a core systems modernization? They can cost tens of millions of dollars. Limit scope (and cost) to just certain modules. If, for example, you have an ERP modernization, limit projects and procurements to key modules and milestones. 
  2. Use project management techniques. Treat the negotiation like a small project. For example, compile a list of tasks and deadlines, as well as names for necessary signatures. Develop a project plan and hold weekly check-ins to keep things on track. Assign someone in your organization as a single point of contact to help shepherd the contract through the process. 
  3. Make the vendor’s proposal part of the contract?verbatim. Some states still require copying the proposal response into a contract document, and that often requires modification of proposal language, which slows things down. Attach the solution proposal to the contract cover pages(s) so that the proposal is there, word for word. 
  4. Have vendors define deliverables, except for the minimum deliverables you must have. Vendors should know how to deliver their product and services and should include items they expect to be paid for, such as completion of a development cycle, software licenses, and a gap analysis report. Rather than define what deliverables you need, let the vendors define them, except for any mandatory ones, such as a training or testing plan. Ask for interim or draft versions of training or testing plans as part of proposal submission. 
  5. Tell vendors ahead of time what the payment constraints are. As a state government, you are bound by budget cycles and authority to spend. You also want working product tied to payment. With both factors in mind, tell vendors up front how much of the contract can be paid in a certain year and how much you are willing to tie to what deliverables. Don’t want to pay more than, say 40% of the project cost for non-software deliverables? Say so. Vendors can then plan their paydays and deliverable sequence accordingly. 

    You can also save time and effort by not negotiating at all. States often assume there will be, or allow for, negotiation periods. Yet states can make clear that no negotiation will occur after contract award—or limit what can be negotiated to a small, finite number of items. To prepare for this approach, states should gleam vendor stipulations ahead of time, and perhaps even score vendors on the number or type of stipulations. Use a pre-award proposal clarification period to clarify any terms or demands that are unfavorable to the state and consider ranking or evaluating proposals on the number of objections to terms/conditions raised. 

States should feel empowered to shorten (or, when appropriate, even eliminate) contract negotiations. After all, state time is state money.

Blog
Meet deadlines and cut costs: Five steps to faster contract negotiations

Artificial Intelligence, or AI, is no longer the exclusive tool of well-funded government entities and defense contractors, let alone a plot device in science fiction film and literature. Instead, AI is becoming as ubiquitous as the personal computer. The opportunities of what AI can do for internal audit are almost as endless as the challenges this disruptive technology represents.

To understand how AI will influence internal audit, we must first understand what AI is.The concept of AI—a technology that can perceive the world directly and respond to what it perceives—is often attributed to Alan Turing, though the term “Artificial Intelligence” was coined much later in 1956 at Dartmouth College, in Hanover, New Hampshire. Turing was a British scientist who developed the machine that cracked the Nazis’ Enigma code. Turing thought of AI as a machine that could convince a human that it also was human. Turing’s humble description of AI is as simple as it is elegant. Fast-forward some 60 years and AI is all around us and being applied in novel ways almost every day. Just consider autonomous self- driving vehicles, facial recognition systems that can spot a fugitive in a crowd, search engines that tailor our online experience, and even Pandora, which analyzes our tastes in music.

Today, in practice and in theory, there are four types of AI. Type I AI may be best represented by IBM’s Deep Blue, a chess-playing computer that made headlines in 1996 when it won a match against Russian chess champion Gary Kasparov. Type I AI is reactive. Deep Blue can beat a chess champion because it evaluates every piece on the chessboard, calculates all possible moves, then predicts the optimal move among all possibilities. Type I AI is really nothing more than a super calculator, processing data much faster than the human mind can. This is what gives Type I AI an advantage over humans.

Type II AI, which we find in autonomous cars, is also reactive. For example, it applies brakes when it predicts a collision; but, it has a low form of memory as well. Type II AI can briefly remember details, such as the speed of oncoming traffic or the distance between the car and a bicyclist. However, this memory is volatile. When the situation has passed, Type II AI deletes the data from its memory and moves on to the next challenge down the road.

Type II AI's simple form of memory management and the ability to “learn” from the world in which it resides is a significant advancement. 
The leap from Type II AI to Type III AI has yet to occur. Type III AI will not only incorporate the awareness of the world around it, but will also be able to predict the responses and motivations of other entities and objects, and understand that emotions and thoughts are the drivers of behavior. Taking the autonomous car analogy to the next step, Type III AI vehicles will interact with the driver. By conducting a simple assessment of the driver’s emotions, the AI will be able to suggest a soothing playlist to ease the driver's tensions during his or her commute, reducing the likelihood of aggressive driving. Lastly, Type IV AI–a milestone that will likely be reached at some point over the next 20 or 30 years—will be self-aware. Not only will Type IV AI soothe the driver, it will interact with the driver as if it were another human riding along for the drive; think of “HAL” in Arthur C. Clarke’s 2001: A Space Odyssey.

So what does this all mean to internal auditors?
While it may be a bit premature to predict AI’s impact on the internal audit profession, AI is already being used to predict control failures in institutions with robust cybersecurity programs. When malicious code is detected and certain conditions are met, AI-enabled devices can either divert the malicious traffic away from sensitive data, or even shut off access completely until an incident response team has had time to investigate the nature of the attack and take appropriate actions. This may seem a rather rudimentary use of AI, but in large financial institutions or manufacturing facilities, minutes count—and equal dollars. Allowing AI to cut off access to a line of business that may cost the company money (and its reputation) is a significant leap of faith, and not for the faint of heart. Next generation AI-enabled devices will have even more capabilities, including behavioral analysis, to predict a user’s intentions before gaining access to data.

In the future, internal audit staff will no doubt train AI to seek conditions that require deeper analysis, or even predict when a control will fail. Yet AI will be able to facilitate the internal audit process in other ways. Consider AI’s role in data quality. Advances in inexpensive data storage (e.g., the cloud) have allowed the creation and aggregation of volumes of data subject to internal audit, making the testing of the data’s completeness, integrity, and reliability a challenging task considering the sheer volume of data. Future AI will be able to continuously monitor this data, alerting internal auditors not only of the status of data in both storage and motion, but also of potential fraud and disclosures.

The analysis won’t stop there.
AI will measure the performance of the data in meeting organizational objectives, and suggest where efficiencies can be gained by focusing technical and human resources to where the greatest risks to the organization exist in near real-time. This will allow internal auditors to develop a common operating picture of the day-to-day activities in their business environments, alerting internal audit when something doesn’t quite look right and requires further investigation.

As promising as AI is, the technology comes with some ethical considerations. Because AI is created by humans, it is not always vacant of human flaws. For instance, AI can become unpredictably biased. AI used in facial recognition systems has made racial judgments based on certain common facial characteristics. In addition, AI that gathers data from multiple sources that span a person’s financial status, credit status, education, and individual likes and dislikes could be used to profile certain groups for nefarious intentions. Moreover, AI has the potential to be weaponized in ways that we have yet to comprehend.

There is also the question of how internal auditors will be able to audit AI. Keeping AI safe from internal fraudsters and external adversaries is going to be paramount. AI’s ability to think and act faster than humans will challenge all of us to create novel ways of designing and testing controls to measure AI’s performance. This, in turn, will likely make partnerships with consultants that can fill knowledge gaps even more valuable. 

Challenges and pitfalls aside, AI will likely have a tremendous positive effect on the internal audit profession by simultaneously identifying risks and evaluating processes and control design. In fact, it is quite possible that the first adopters of AI in many organizations may not be the cybersecurity departments at all, but rather the internal auditor’s office. As a result, future internal auditors will become highly technical professionals and perhaps trailblazers in this new and amazing technology.

Blog
Artificial intelligence and the future of internal audit

The world of professional sports is rife with instability and insecurity. Star athletes leave or become injured; coaching staff make bad calls or public statements. The ultimate strength of a sports team is its ability to rebound. The same holds true for other groups and businesses. Chapter 7 in BerryDunn’s Cybersecurity Playbook for Management looks at how organizations can prepare for, and respond to, incidents.

The final two chapters of this Cybersecurity Playbook for Management focus on the concept of resiliency. What exactly is resiliency?
RG
: Resiliency refers to an organization’s ability to keep the lights on—to keep producing—after an incident. An incident is anything that disrupts normal operations, such as a malicious cyberattack or an innocent IT mistake.

Among security professionals, attitudes toward resiliency have changed recently. Consider the fact that the U.S. Department of Defense (DOD) has come out and said, in essence, that cyberwarfare is a war that it cannot win—because cyberwarfare is so complex and so nuanced. The battlefield changes daily and the opponents have either a lot of resources or a lot of time on their hands. Therefore, the DOD is placing an emphasis on responding and recovering from incidents, rather than preventing them.

That’s sobering.
RG
: It is! And businesses and organizations should take note of this attitude change. Protection, which was once the start and endpoint for security, has given way to resiliency.

When and why did this attitude change occur?
RG
: Several years ago, security experts started to grasp just how clever certain nation states, such as China and Russia, were at using malicious software. If you could point to one significant event, likely the 2013 Target breach is it.

What are some examples of incidents that managers need to prepare for?
RG
: Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with their specific line of business. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons.

Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest that security teams include staff members with liberal arts backgrounds. I’m generalizing, but these people tend to be creative. And when you’re responding to incidents, you want people who can look at a problem or situation from a global or external perspective, not just a technical or operational perspective. These team members can help answer questions such as, what does the world see when they look at our organization? What organizational information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?
RG
: They can be as short as needed; I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?
RG
: There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities so your team can assign and track tasks.

Any other tips for developing incident response plans?
RG
: First, managers should work with, and solicit feedback from, different data owners and groups within the organization—such as IT, HR, and Legal—when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your organization’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your organization’s customers in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your business or industry. The last thing you want is customers receiving conflicting messages about the incident. This can cause unnecessary grief for you, but can also cause an unmeasurable loss of customer confidence.

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?
RG
: Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should organizations have dedicated incident response teams?
RG: Definitely. Larger organizations usually have the resources and ability to staff these teams internally. Smaller organizations may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, even larger organizations should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every organization can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your organization about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?
RG
: Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a “hackathon.” The word can elicit negative reactions from upper management—whose support you really need. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the organization for another, higher-paying job. I think you should be committed to the growth of your team members; it’ll only make your organization more secure.

What are some best practices managers should follow when reporting incidents to their leadership?
RG
: Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in a business context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the business. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

Above all else, don’t scare leadership. If you present them with panic, you’re going to get panic back. Be a calm voice in the storm. Management will respond better, as will your team.

Another thing to keep in mind is different business leaders have different responses to this sort of news. An elected official, for example, might react differently than the CEO of a private company, simply due to possible political fallout. Keep this context in mind when reporting incidents. It can help you craft the message.

How much organization-wide communication should there be about incidents?
RG
: That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole organization know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire organization about an incident, refer to your Legal Department. In general, organization-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

So what’s next?
RG
: Chapter 8 will focus on how managers can help their organizations recover from a cybersecurity incident.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Incident response: Cybersecurity playbook for management

Any sports team can pull off a random great play. Only the best sports teams, though, can pull off great plays consistently — and over time. The secret to this lies in the ability of the coaching staff to manage the team on a day-to-day basis, while also continually selling their vision to the team’s ownership. Chapter Six in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can achieve similar success through similar actions.

The title of this chapter is “The Workflow.” What are we talking about today?
RG
: In previous chapters, we’ve walked managers through cybersecurity concepts like maturity, capacity, and discovery. Today, we’re going to discuss how you can foster a consistent and repeatable cybersecurity program — the cybersecurity workflow, if you will. And for managers, this is where game planning begins. To achieve success, they need to effectively oversee their team on a day-to-day basis, and continually sell the cybersecurity program to the business leadership for whom they work — the board or CEO.

Let’s dive right in. How exactly do managers oversee a cybersecurity program on a day-to-day basis?
RG
: Get out of the way, and let your team do its work. By this point, you should know what your team is capable of. Therefore, you need to trust your team. Yet you should always verify. If your team recommends purchasing new software, have your team explain, in business terms, the reasons for the purchase. Then verify those reasons. Operationalizing tools, for example, can be difficult and costly, so make sure they put together a road map with measurable outcomes before you agree to buy any tools — even if they sound magical!

Second, empower your team by facilitating open dialogue. If your team brings you bad news, listen to the bad news — otherwise, you’ll end up alienating people. Know that your team is going to find things within your organization’s “auditable universe” that are going to make you uncomfortable from a cybersecurity point of view. Nevertheless, you need to encourage your team to share the information, so don’t overreact.

Third, give your team a communication structure that squelches a crisis-mode mentality — “Everything’s a disaster!” In order to do that, make sure your team gives every weakness or issue they discover a risk score, and log the score in a risk register. That way, you can prioritize what is truly important.

Fourth, resolve conflicts between different people or groups on your team. Take, for example, conflict between IT staff and security staff, (read more here). It is a common issue, as there is natural friction between these groups, so be ready to deal with it. IT is focused on running operations, while security is focused on protecting operations. Sometimes, protection mechanisms can disrupt operations. Therefore, managers need to act as peacemakers between the two groups. Don’t show favoritism toward one group or another, and don’t get involved in nebulous conversations regarding which group has “more skin in the game.” Instead, focus on what is best for your organization from a business perspective. The business perspective ultimately trumps either IT or security concerns.

Talk about communication for a moment. Managers often come from business backgrounds, while technical staff often come from IT backgrounds. How do you foster clear communication across this divide?
RG
: Have people talk in simple terms. Require everyone on your team use plain language to describe what they know or think. I recommend using what I call the Colin Powell method of reporting:

1. Tell me what you know.
2. Tell me what you don’t know.
3. Tell me what you think.
4. Tell me what you recommend.

When you ask team members questions in personal terms — “Tell me what you know”—you tend to receive easy-to-understand, non-jargon answers.

Something that we really haven’t talked about in this series is cybersecurity training. Do you suggest managers implement regular cybersecurity training for their team?
RG
: This is complicated, and my response will likely be be a little controversial to many. Yes, most organizations should require some sort of cybersecurity training. But I personally would not invest a lot of time or money into cybersecurity training beyond the basics for most users and specific training for technical staff. Instead, I would plan to spend more money on resiliency — responding to, and recovering from, a cybersecurity attack or incident. (We’ll talk about resiliency more in the next two chapters.) Why? Well, you can train people all day long, but it only takes one person to be malicious, or to make an innocent mistake, that leads to a cybersecurity attack or incident. Let’s look at my point from a different perspective. Pretend you’re the manager of a bank, and you have some money to spend on security. Are you going to spend that money on training your employees how to identify a robber? Or are you going to spend that money on a nice, state-of-the-art vault?

Let’s shift from talking about staff to talking about business leadership. How do managers sell the cybersecurity program to them?
RG
: Use business language, not technical language. For instance, a CEO may not necessarily care much about the technical behavior of a specific malware, but they are going to really care about the negative effects that malware can have on the business.

Also, keep the conversation short, simple, and direct. Leadership doesn’t have time to hear about all you’re doing. Leadership wants progress updates and a clear sense of how the cybersecurity program is helping the business. I suggest discussing three to four high-priority security risks, and summarizing how you and your team are addressing those risks.

And always remember that in times of crisis, those who keep a cool head tend to gain the most support. Therefore, when talking to the board or CEO, don’t be the bearer of “doom and gloom.” Be calm, positive, empowering, and encouraging. Provide a solution. And make leadership part of the solution by reminding them that they, too, have cybersecurity responsibilities, such as communicating the value of the cybersecurity program to the organization — internal PR, in other words.

How exactly should a manager communicate this info to leadership? Do you suggest one-on-one chats, reports, or presentations?
RG
: This all depends on leadership. You know, some people are verbal learners; some people are visual learners. It might take some trial and error to figure out the best medium for conveying your information, and that’s OK. Remember: cybersecurity is an ongoing process, not a one-and-done event. However, if you are going to pursue the one-on-one chat route, just be prepared, materials-wise. If leadership asks for a remediation plan, then you better have that remediation plan ready to present!

What is one of the biggest challenges that managers face when selling cybersecurity programs to leadership?RG: One of the biggest challenges is addressing questions about ROI, because there often are no quantifiable financial ROIs for cybersecurity. But organizations have to protect themselves. So the question is, how much money is your organization willing to spend to protect itself? Or, in other words, how much risk can your organization reduce — and does this reduction justify the cost?

One possible way to communicate the value of cybersecurity to leadership is to compare it to other necessary elements within the organization, such as HR. What is the ROI of HR? Who knows? But do you really want your organization to lack an HR department? Think of all the possible logistic and legal issues that could swamp your organization without an HR department. It’s terrifying to think about! And the same goes for cybersecurity.

We’ve talked about how managers should communicate with their team and with business leadership. What about the organization as a whole?
RG
: Sure! Regular email updates are great, especially if you keep them “light,” so to speak. Don’t get into minutia. That said, I also think a little bit of secrecy goes a long way. Organizations need to be aware of, and vigilant toward, insider threats. Loose lips sink ships, you know? Gone are the days when a person works for an organization for 30+ years. Employees come and go pretty frequently. As a result, the concept of company loyalty has changed. So make sure your organization-wide updates don’t give away too much cybersecurity information.

So what’s next?
RG:
Chapter 7 will focus on how managers can help their organizations respond to a cybersecurity attack or incident.

Blog
The workflow: Cybersecurity playbook for management

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Blog
No science fiction: Tactics for recruiting and retaining higher education IT positions

When an organization wants to select and implement a new software solution, the following process typically occurs:

  1. The organization compiles a list of requirements for essential and non-essential (but helpful) functions.
  2. The organization incorporates the requirements into an RFP to solicit solutions from vendors.
  3. The organization selects finalist vendors to provide presentations and demonstrations.
  4. The organization selects one preferred vendor based on various qualifications, including how well the vendor’s solution meets the requirements listed in the RFP. A contract between the organization and vendor is executed for delivery of the solution.
  5. The preferred vendor conducts a gap analysis to see if there are gaps between the requirements and its solution—and discloses those gaps.
  6. The preferred vendor resolves the gaps, which often results in change orders, cost adjustments, and delays.

Sound painful? It can be. Step #5—the gap analysis, and its post-contract timing—is the main culprit. However, without it, an organization will be unaware of solution shortcomings, which can lead to countless problems down the road. So what’s an organization to do?

A Possible Solution
One suggestion: Don’t wait until you choose the preferred vendor for a gap analysis. Have finalist vendors conduct pre-contract gap analyses for you.

You read that right. Pay each finalist vendor to visit your organization for a week to learn about your current and desired software needs. Then pay them to develop and present a report, based on both the RFP and on-site discussions, which outlines how their solution will meet your current and desired software needs—as well as how they will meet any gaps. Among other things, a pre-contract gap analysis will help finalist vendors determine:

  • Whether programming changes are necessary to meet requirements
  • Whether functions can be provided through configuration setup, changes in database tables, or some other non-customized solution
  • What workarounds will be necessary
  • What functionalities they can't, or won't, provide

Select a preferred vendor based on both their initial proposal and solution report.
Of course, to save time and money, you could select only one finalist vendor for the pre-contract gap analysis. But having multiple finalist vendors creates a competitive environment that can benefit your organization, and can prevent your organization from having to go back to other vendors if you’re dissatisfied with the single finalist vendor’s proposal and solution report, or if contract negotiations prove unsuccessful.

Pros
You can set realistic expectations. By having finalist vendors conduct gap analyses during the selection process, they will gain a better understanding of your organization, and both your essential and nonessential software needs. In turn, your organization gets a better understanding of the functionality and limitations of the proposed solutions. This allows your organization to pinpoint costs for system essentials, including costs to address identified gaps. Your organization can also explore the benefits and costs of optional functions. Knowing the price breakdowns ahead of time will allow your organization to adjust its system requirements list.

You can reduce the need for, or pressure to accept, scope changes and change orders. Adding to, or deleting from, the scope of work after solution implementation is underway can create project delays and frustration. Nailing down gaps—and the preferred vendor’s solutions to meet those gaps—on the front end increases efficiency, helps to ensure best use of project resources, and minimizes unnecessary work or rework. It may also save you expense later on in the process.

Cons
You will incur additional up-front costs. Obviously, your organization will have to pay to bring finalist vendors on-site so they can learn the intricacies of your business and technical environment, and demonstrate their proposed solutions. Expenses will include vendors’ time, costs for transportation, lodging, and meals. These costs will need to be less than those typically incurred in the usual approach, or else any advantage to the modified gap analysis is minimized.

You might encounter resistance. Some finalist vendors might not be willing to invest the time and effort required to travel and conduct gap analyses for a system they may not be selected to implement. They will be more interested in the larger paycheck. Likewise, stakeholders in your own organization might feel that the required costs and time investments are impractical or unrealistic. Remind staff of the upfront investment and take note of which vendors are willing to do the same.

Blog
The pros and cons of pre-contract gap analyses

A professional sports team is an ever-changing entity. To have a general perspective on the team’s fluctuating strengths and weaknesses, a good coach needs to trust and empower their staff to discover the details. Chapter 5 in BerryDunn’s Cybersecurity Playbook for Management looks at how discovery can help managers understand their organization’s ever-changing IT environment. 

What is discovery, and how does it connect to capacity?
RG: Discovery is the process of mapping your organization’s capacity—people, processes, and tools—so you understand what your organization’s IT environment has. In other words, it’s the auditing of your IT environment.

Of course, the most valuable thing within your IT environment, other than the people who access it, is the “thing” that drives your business. Often this thing is data, but it could be proprietary processes or machinery. For the purposes of this blog, we’ll focus on data. Discovery naturally answer questions such as:

• What in our IT environment is important to our business?
• How is it being used?
• Who has access to it, and how can we better protect it? 

How can managers tackle discovery?
RG: First, you need to understand discovery requires accepting the fact that the environment is always evolving. Discovery is not a one-and-done process—it, never ends. People introduce new things, like updated software, into IT environments all the time. Your IT environment is an always-shifting playing field. Think of Amazon’s Alexa devices. When someone plugs one into your internal wireless network, they’ve just expanded your attack surface for a hacker by introducing a new device with its own set of vulnerabilities.

Second, you have to define the “auditable universe” by establishing manageable boundaries in direct proportion to your discovery team’s capabilities. I often see solicitations for proposals that ask for discovery of all assets in an IT environment. That could include a headquarters building, 20 satellite offices, and remote workers, and is going to take a long time to assess. I recently heard of a hospital discovering 41,000 internet-connected devices on their network—mostly Internet of Things (IoT) resources, such as heart monitors. Originally, the hospital had only been aware of about one-third of these devices. Keeping your boundaries realistic and manageable can prevent your team from being overwhelmed.

Third, your managers should refrain from getting directly involved with discovery because it’s a pretty technical and time-consuming process. You should task a team to conduct discovery, and provide the discovery team with adequate tools. There are a lot of good tools that can help map networks and manage assets; we’ll talk about them later in this blog. Managers should mainly concern themselves with the results of discovery and trust in the team’s ability to competently map out the IT environment. Remember, the IT environment is always evolving, so even as the results roll in, things are changing.

Who should managers select for the discovery team?
RG: Ideally, various groups of people. For instance, it makes sense for HR staff to conduct the people part of discovery. Likewise, it makes sense for data owners—staff responsible for certain data—to conduct the process part of discovery, and for IT staff to conduct the tool part.

However, I should point out that if you have limited internal resources, then the IT staff can conduct all three parts of discovery, working closely with all stakeholders. IT staff will have a pretty good sense of where data is held within the organization’s IT environment, and they will develop an understanding of what is important to the organization.

Could an organization’s security staff conduct discovery?
RG: Interestingly enough, security staff don’t always have day-to-day interactions with data. They are more focused on overall data protection strategies and tactics. Therefore, it makes more sense to leverage other staff, but the results of discovery (e.g., knowing where data resides, understanding the sensitivity of data) need to be shared with security staff. Ultimately, this knowledge will help security staff better protect your data.

What about hiring external resources to conduct discovery?
RG: It depends on what you’re trying to do. If the goal of discovery is to comply with some sort of regulatory standard or framework, then yes, hiring external resources makes sense. These resources could come in and, using the discovery process, conduct a formal assessment. It may also make sense to hire external resources if you’re short-staffed, or if you have a complex environment with undocumented data repositories, processes, and tools. Yet in each of these scenarios, the external resources will only be able to provide a point-in-time baseline. 

Otherwise, I recommend leveraging your internal staff. An internal discovery team should be able to handle the task if adequately staffed and resourced, and team members will learn a lot in the process. And as discovery never really ends, do you want to have to perpetually hire external resources?

People make up a big part of capacity. Should the discovery team focus on people and their roles in this process?
RG: Yes! It sounds odd that people and their roles are included in discovery, but it is important to know who is using and touching your data. At a minimum, the discovery team needs to conduct background checks. (This is one example of where HR staff need to be part of the discovery process.)

How can the discovery team best map processes?
RG: The discovery team has to review each process with the respective data owner. Now, if you are asking the data owners themselves to conduct discovery, then you should have them illustrate their own workflows. There are various process mapping tools, such as Microsoft Visio, that data owners can use for this.

The discovery team needs to acknowledge that data owners often perform their processes correctly through repetition—the problems or potential vulnerabilities stem from an inherently flawed or insecure process, or having one person in charge of too many processes. Managers should watch out for this. I’ll give you a perfect example of the latter sort of situation. I once helped a client walk through the process of system recovery.

During the process we discovered that the individual responsible for system recovery also had the ability to manipulate database records and to print checks. In theory, that person could have been able to cut themselves a check and then erase its history from the system. That’s a big problem!

Other times, data owners perform their processes correctly, but inadvertently use compromised or corrupted tools, such as free software downloaded from the internet. The discovery team has to identify needed policy and procedure changes to prevent these situations from happening.

Your mention of vulnerable software segues nicely to the topic of tools. How can the discovery team best map the technologies the organization uses?
RG: Technology is inherently flawed. You can’t go a week without hearing about a new vulnerability in a widely used system or application. I suggest researching network scanning tools for identifying hosts within your network; vulnerability testing tools for identifying technological weaknesses or gaps; and penetration testing tools for simulating cyber-attacks to assess cybersecurity defenses.

Let’s assume a manager has tasked a team to conduct discovery. What’s the next step?
RG: If you recall, in the previous blog I discussed the value of adopting a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record required risk mitigation actions, and identify who “owns” the risk. The next step is for your discovery team to start completing the risk register. The manager uses this risk register, and subsequent discussions with the team, to make corresponding business decisions to improve cybersecurity, such as purchasing new tools—and to measure the progress of mitigating any vulnerabilities identified in the discovery process. A risk register can become an invaluable resource planning tool for managers.

For discovery purposes, what’s the best format for a cybersecurity risk register?
RG: There are very expensive programs an organization can use to create a risk register. Some extremely large banking companies use the RSA Archer GRC platform. However, you can build a very simple risk register in Excel. An Excel spreadsheet would work well for small and some mid-sized organizations, but there are other relatively inexpensive solutions available. I say this because managers should aim for simplicity. You don’t want the discovery team getting bogged down by a complex risk register.

Finally, what are some discovery resources and reference guides that managers should become familiar with and utilize?
RG: I recommend the National Institute of Standards and Technology (NIST) Special Publication series. They outline very specific and detailed discovery methodologies you can use to improve your discovery process.

So what’s next?
RG: Chapter 6 will focus on synthesizing maturity, capacity, and discovery to create a resilient organization from a cybersecurity point of view.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Discovery: Cybersecurity playbook for management

While new software applications help you speed up processes and operations, deciding which ones will work best for your organization can quickly evolve into analysis paralysis, as there are so many considerations.

Case in point: Software as a Service (SaaS) model
The benefits of the SaaS model, in which a vendor remotely hosts an organization’s applications, are fairly well known: your organization doesn’t have to shell out for costly hardware, the vendor tackles upgrades, backups, data recovery, and security, and you have more time and money to focus on your business goals.

There are multiple factors to look at when determining whether a SaaS solution is right for you. We’ve compiled a list of the top three SaaS considerations:

1. Infrastructure and capacity
Your organization should consider your own people, processes, and tools when determining whether SaaS makes sense. While an on-site solution may require purchasing new technologies, hiring new staff, and realigning current roles and responsibilities to maintain the system, maintaining a SaaS solution may also require infrastructure updates, such as increased bandwidth to sufficiently connect to the vendor's hosting site.

Needless to say, it’s one thing to maintain a solution; it’s an entirely different thing to keep it secure. An on-site hosting solution requires constant security upgrades, internal audits, and a backup system—all of which takes time and money. A SaaS model requires trust in your vendor to provide security. Make sure your potential vendor uses the latest security measures and standards to keep your critical business data safe and secure.

2. Expense
When you purchase major assets—for example, hardware to host its applications—it incurs capital expenses. Conversely, when you spend money on day-to-day operations (SaaS subscriptions), it incurs operating expenses.

You should weigh the pros and cons of each type of expense when considering a SaaS model. On-site upfront capital expenses for hosting hardware are generally high, and expenses can spike overtime when you update the technology, which can be difficult to predict. And don’t forget about ongoing costs for maintenance, software upgrades, and security patches.

In the SaaS model, you spread out operating costs over time and can predict costs because you are paying via subscription—which generally includes costs for maintenance, software upgrades, and security patches. However, remember you can depreciate capital expenses over time, whereas the deductibility of operating expenses are generally for the year you use them.

3. Vendor viability
Finally, you need to conduct due diligence and vet SaaS vendors before closing the deal. Because SaaS vendors assume the responsibility for vital processes, such as data recovery and security, you need to make sure the potential vendor is financially stable and has a sustainable business model. To help ensure you receive the best possible service, select a vendor considered a leader in its market sector. Prepare a viable exit strategy beforehand so you can migrate your business processes and data easily in case you have any issues with the SaaS provider.

You must read—and understand—the fine print. This is especially important when it comes to the vendor’s policies toward data ownership and future migrations to other service providers, should that become necessary. In other words: Make sure you have final say and control over your data.

Every organization has different aspects of their situation to consider when making a SaaS determination. Want to learn more? It’s a snap! Contact the authors: Clark Lathrum and Matthew Tremblay

Blog
SaaS: Is it right for you? Making SaaS determinations a snap.

Just as sports teams need to bring in outside resources — a new starting pitcher, for example, or a free agent QB — in order to get better and win more games, most organizations need to bring in outside resources to win the cybersecurity game. Chapter 4 in our Cybersecurity Playbook for Management looks at how managers can best identify and leverage these outside resources, known as external capacity.

In your last blog, you mentioned that external capacity refers to outside resources — people, processes, and tools — you hire or purchase to improve maturity. So let’s start with people. What advice would you give managers for hiring new staff?
RG: I would tell them to search for new staff within their communities of interest. For instance, if you’re in financial services, use the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a resource. If you’re in government, look to the Multi-State Information Sharing and Analysis Center (MS-ISAC). Perhaps more importantly, I would tell managers what NOT to do.

First, don’t get caught up in the certification trap. There are a lot of people out there who are highly qualified on paper, but who don’t have a lot of the real-world experience. Make sure you find people with relevant experience.

Second, don’t blindly hire fresh talent. If you need to hire a security strategist, don’t hire someone right out of college just getting started. While they might know security theories, they’re not going to know much about business realities.

Third, vet your prospective hires. Run national background checks on them, and contact their references. While there is a natural tendency to trust people, especially cybersecurity professionals, you need to be smart, as there are lots of horror stories out there. I once worked for a bank in Europe that had hired new security and IT staff. The bank noticed a pattern: these workers would work for six or seven months, and then just disappear. Eventually, it became clear that this was an act of espionage. The bank was ripe for acquisition, and a second bank used these workers to gather intelligence so it could make a takeover attempt. Every organization needs to be extremely cautious.

Finally, don’t try to hire catchall staff. People in management often think: “I want someone to come in and rewrite all of our security policies and procedures, and oversee strategic planning, and I also want them to work on the firewall.” It doesn’t work that way. A security strategist is very different from a firewall technician — and come with two completely different areas of focus. Security strategists focus on the high-level relationship between business processes and outside threats, not technical operations. Another point to consider: if you really need someone to work on your firewall, look at your internal capacity first. You probably already have staff who can handle that. Save your budget for other resources.

You have previously touched upon the idea that security and IT are two separate areas.
RG
: Yes. And managers need to understand that. Ideally, an organization should have a Security Department and an IT Department. Obviously, IT and Security work hand-in-glove, but there is a natural friction between the two, and that is for good reason. IT is focused on running operations, while security is focused on protecting them. Sometimes, protection mechanisms can disrupt operations or impede access to critical resources.

For example, two-factor authentication slows down the time to access data. This friction often upsets both end users and IT staff alike; people want to work unimpeded, so a balance has to be struck between resource availability and safeguarding the system itself. Simply put, IT sometimes cares less about security and more about keeping end users happy — and while that it is important, security is equally important.

What’s your view on hiring consultants instead of staff?
RG
: There are plenty of good security consultants out there. Just be smart. Vet them. Again, run national background checks, and contact their references. Confirm the consultant is bonded and insured. And don’t give them the keys to the kingdom. Be judicious when providing them with administrative passwords, and distinguish them in the network so you can keep an eye on their activity. Tell the consultant that everything they do has to be auditable. Unfortunately, there are consultants who will set up shop and pursue malicious activities. It happens — particularly when organizations hire consultants through a third-party hiring agency. Sometimes, these agencies don’t conduct background checks on consultants, and instead expect the client to.

The consultant also needs to understand your business, and you need to know what to expect for your money. Let’s say you want to hire a consultant to implement a new firewall. Firewalls are expensive and challenging to implement. Will the consultant simply implement the firewall and walk away? Or will the consultant not only implement the firewall, but also teach and train your team in using and modify the firewall? You need to know this up front. Ask questions and agree, in writing, the scope of the engagement — before the engagement begins.

What should managers be aware of when they hire consultants to implement new processes?
RG
: Make sure that the consultant understands the perspectives of IT, security, and management, because the end result of a new process is always a business result, and new processes have to make financial sense.

Managers need to leverage the expertise of consultants to help make process decisions. I’ll give you an example. In striving to improve their cybersecurity maturity, many organizations adopt a cybersecurity risk register, which is a document used to list the organization’s cybersecurity risks, record actions required to mitigate those risks, and identify who “owns” the risk. However, organizations usually don’t know best practices for using a risk register. This sort of tool can easily become complex and unruly, and people lose interest when extracting data from a register becomes difficult or consumes a lot of time reading.

A consultant can help train staff in processes that maximize a risk register’s utility. Furthermore, there’s often debate about who owns certain risks. A consultant can objectively arbitrate who owns each risk. They can identify who needs to do X, and who needs to do Y, ultimately saving time, improving staff efficiency, and greatly improving your chances of project success.

Your mention of a cybersecurity risk register naturally leads us to the topic of tools. What should managers know about purchasing or implementing new technology?
RG
: As I mentioned in the last blog, organizations often buy tools, yet rarely maximize their potential. So before managers give the green light to purchase new tools, they should consider ways of leveraging existing tools to perform more, and more effective, processes.

If a manager does purchase a new tool, they should purchase one that is easy to use. Long learning curves can be problematic, especially for smaller organizations. I recommend managers seek out tools that automate cybersecurity processes, making the processes more efficient.

For example, you may want to consider tools that perform continuous vulnerability scans or that automatically analyze data logs for anomalies. These tools may look expensive at first glance, but you have to consider how much it would cost to hire multiple staff members to look for vulnerabilities or anomalies.

And, of course, managers should make sure that a new tool will truly improve their organization’s safeguards against cyber-attack. Ask yourself and your staff: Will this tool really reduce our risk?

Finally, managers need to consider eliminating tools that aren’t working or being used. I once worked with an organization that had expensive cybersecurity tools that simply didn’t function well. When I asked why it kept them, I was told that the person responsible for them was afraid that a breach would occur if they were removed. Meanwhile, these tools were costing the organization around $60,000 a month. That’s real money. The lesson: let business goals, and not fear, dictate your technology decisions.

So, what’s next?
RG
: So far in this series we have covered the concepts of maturity and capacity. Next, we’re going to look at the concept of discovery. Chapter 5 will focus on internal audit strategies that you can use to determine, or discover, whether or not your organization is using tools and processes effectively.

Blog
External capacity: Cybersecurity playbook for management

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Blog
The mobile app labyrinth: Seven questions higher education institutions should ask

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG
: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG
: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG
: Developing new ones can be difficult  we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG
: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG
: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG
: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Tapping your internal capacity for better results: Cybersecurity playbook for management

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Selecting and implementing a maturity model: Cybersecurity playbook for management

Good Practices Are Not Enough

When it comes to IT security, more than one CEO running a small organization has told me they have really good people taking care of “all that.” These CEOs choose to believe their people perform good practices. That may be true, but who defines good practices and how they administer them? And when? If “security is everyone’s job,” then nobody is responsible for getting specific things done. Good practices require consistency, and consistency requires structure.

From an audit perspective, a control not written down does not exist. Why? Because it can’t be tested, measured, or validated. An IT Auditor can’t assess controls if they were never defined. Verbal instruction carries by far the most risk. “I told him to do that,” doesn’t pass the smell test in court.

Why Does it Matter?

Because it’s not IT’s job to write policies. Their job is to implement IT decisions made by management. They’re not at the right level to make decisions that impact the entire organization. Why should small organizations concern themselves with developing policies and procedures? Here are two very good reasons:

1. Regulatory Requirements
2. Lawsuits

No matter how small your organization, if you have a corporate network (even cloud-based) and you store credit card transactions, personal health information, client financial information or valuable intellectual property, being aware of state and federal regulatory requirements for protecting that information is vital. It is the responsibility of management to research and develop a management framework for addressing risk.

Lawsuits happen when information is stolen and/or employees are terminated for inappropriate activities. If you have no policies that mandate what is and isn’t acceptable, and what the penalties are for violations, your terminated employee has grounds for a wrongful termination lawsuit: policy should not be written by the IT Department.

If confidential data you are responsible for is stolen and clients sue you, standing up in court and saying “We don’t have any written policies or procedures,” is a sure way to have both significant financial losses and a negative impact on your reputation. For a small organization, that could mean going out of business.

Even if data is stolen from a third-party vendor who stores your data, your organization owns the data and is responsible for ensuring the data is secure with the vendor and meets organizational requirements. Do you have a vendor management policy? If you work with vendors, you need one.

Consider, too, that every organization expects to grow its business. The longer management doesn’t pay attention to policies and procedures, the more difficult it becomes to develop and implement them.

Medium and Large Organizations Need to Pay Attention, too

A policy document provides a framework for defining activities and decision-making by everyone in the organization. A policy contains standards for the organization, and outlines penalties for non-performance. The organization’s management team or board of directors must drive their creation.
Policies also maintain accountability in the eyes of internal and external stakeholders. Even the smallest organization wants their customers and employees to have confidence the organization is protecting important information. By defining the necessary controls for running business operations that address risk and compliance requirements (and reviewing them annually), your management team demonstrates a commitment to good practices.

Procedures are the “How”

Procedures don’t belong in a policy. Departments need to be able to design their own procedures to meet policy requirements and definitions. HR will have procedures for employee privacy and financial information, finance must manage credit card, student, banking or client financial documentation, and IT will need to develop specific technical procedures to document their compliance with policy.

If all those procedures are in a policy, it makes for unwieldy policy documents that management must review and approve. Departments need to change and update their procedures quickly in order to remain effective. For example, a policy may mandate the minimum number of characters in a password, but IT needs to develop the procedures to implement that requirement on many platforms and devices.

What is a “Plan” Used For?

Consider that organizations commonly have a Business Continuity Plan as well as an Incident Response Plan. How is a “plan” different from a policy or procedure?

A plan (for example, an Information Security Plan, or Privacy Plan, etc.) is a collection of related procedures with a specific focus. I have seen these collections called “programs,” but most organizations use “plan” (plus, the Federal government uses that term). The term “program” implies a beginning and an end, as well as tending to be a little too generic (think “School Lunch Program”).

Three Ways Not to Develop Policies, Procedures and Plans

1.

Getting templates from the Internet. Doing a Google search delivers an overwhelming number of approaches, examples and material. Policy templates found online may not be applicable to your organization’s purpose, or require so much editing they defeat the template’s purpose. 

2.

Alternatively, going to organizational peers can endlessly replicate one poorly developed approach to documentation.

3.

Writing policies and procedures totally focused on meeting one regulatory requirement frequently necessitates a total re-write as soon as the next regulation comes along.

Consider the Unique Aspects of Your Organization

What electronic information does your organization consider valuable? During an assessment with a state university, we discovered that the farm research the agriculture school was performing was extremely valuable. While we started out with questions about student health and financial information, the university realized the research data was equally critical. The information might not have federal or state regulations attached to it, but if it is valuable to your organization, you need to protect it. By not taking a one-size fits all approach to our assessment, we were able to meet their specific needs.

Multiple Departments or Locations? Standardize.

Whether your organization is a university, non-profit organization, government agency, medical center or business, you frequently have sub-entities. Each sub-entity or location may have different terms for different functions. For example, at a recent engagement for another university, Information Security “Programs,” “Plans” and “Policies” meant different things on different campuses. This caused confusion on the part of all stakeholders. It also showed a lack of cohesion in the approach to security of the university as a whole. Standardizing language is one of the best ways to have everyone in the organization on the same page, even if the documents are unique to a location, agency or site. This makes planning, implementation, and system upgrade projects run more effectively.

Demonstrate Competence

No matter what terms your organization chooses, using consistent terms is a good way to demonstrate a thoughtful approach. Everyone needs to be talking the same language. Having documents that specify management decisions provides assurance to internal and external stakeholders. Good policies, procedures and plans can mean the difference between a manageable crisis and a business failure.

To receive IT security updates, please sign up here.

Blog
Policies, procedures, and plans—defining the language of your organization

Most of us have been (or should have been) instructed to avoid using clichés in our writing. These overstated phrases and expressions add little value, and often only increase sentence length. We should also avoid clichés in our thinking, for what we think can often influence how we act.

Consider, for example, “death by committee.” This cliché has greatly — and negatively — skewed views on the benefits of committees in managing projects. Sure, sometimes committee members have difficulty agreeing with one another, which can lead to delays and other issues. In most cases, though, an individual can’t possibly oversee all aspects of a project, or represent all interests in an organization. Committees are vital for project success — and arguably the most important project committee is the steering committee.

What Exactly is a Steering Committee?
It is a group of high-level stakeholders that provides strategic direction for a project, and supports the project manager. Ideally, the group increases the chances for project success by closely aligning project goals to organizational goals. However, it is important to point out that the group’s top priority is project success.

The committee should represent the different departments and agencies affected by the project, but remain relatively small in size, chaired by someone who is not an executive sponsor of the project (in order to avoid conflicts of interest). While the project manager should serve on the steering committee, they should not participate in decision-making; the project manager’s role is to update members on the project’s progress, areas of concern, current issues, and options for addressing these issues.

Overall, the main responsibilities of a steering committee include:

  1. Approving the Project Charter
  2. Resolving conflicts between stakeholder groups
  3. Monitoring project progress against the project management plan
  4. Fostering positive communicating about the project within the organization
  5. Addressing external threats and issues emerging outside of the project that could impact it
  6. Reviewing and approving changes made to the project resource plan, scope, schedules, cost estimates, etc.

What Are the Pros and Cons of Utilizing a Steering Committee?
A group of executive stakeholders providing strategic direction should benefit any project. Because steering committee members are organizational decision-makers, they have the access and credibility to address tough issues that can put the project at a risk, and have the best opportunities to negotiate positive outcomes. In addition, steering committees can engage executive management, and make sure the project meshes with executive management’s vision, mission, and long-range strategic plan. Steering committees can empower project managers, and ensure that all departments and agencies are on the same page in regards to project status, goals, and expectations. In a 2009 article in Project Management Journal, authors Thomas G. Lechler and Martin Cohen concluded that steering committees are important to implementing and maintaining project management standards on an operational level — not only do steering committees directly support project success, they are instrumental in deriving value from an organization's investments in its project management system.

A steering committee is only as effective as it’s allowed to be. A poorly structured steering committee that lacks formal authority, clear roles, and clear responsibilities can impede the success of a project by being slow to respond to project issues. A proactive project manager can help the organization avoid this major pitfall by helping develop project documents, such as the governance document or project plan that clearly define the steering committee structure, roles, responsibilities and authority.

Steer Toward Success!
Steering committees can benefit your organization and its major projects. Yet understanding the roles and responsibilities — and pros and cons — is only a preliminary step in creating a steering committee. Need some advice on how to organize a steering committee? Want to learn more about steering committee best practices? Together, we can steer your project toward success.

Blog
Success by steering committee

The relationship between people, processes, and technology is as elemental as earth—and older than civilization. From the first sharpened rock to the Internet of Things, the three have been crucially intertwined and interdependent. There would have been no Industrial Revolution, for instance, without entrepreneurs who developed new tools to facilitate new manufacturing methods.

Of course, the increasing complexity of processes and the rapid innovations in technology tend to eclipse the present role that people play in progress. On the surface the trend seems understandable, even reasonable, when it comes to implementing a new Enterprise Resource Planning (ERP) system. Implementing a new ERP system is one of the most daunting projects an institution can undertake. Some sobering statistics—over 70% of all implementations take longer than planned, while over 50% go over budget—illustrate why many institutions focus on selecting the right ERP model and purchasing the right software. This is important, yet there are two excellent and connected reasons why your institution should focus on the “people component” of an ERP implementation.

Reason #1: The Technology is Tenable

Companies have improved and vetted ERP systems over time, so that today there’s little chance your institution will purchase poorly designed ERP software. And you have multiple options. For example, you could pursue a hosted ERP model in which a data center houses your ERP system, or a Software as a Service (SaaS) model, in which a third party administers your ERP software. These options help minimize hardware implementation, maintenance, and incomplete attempts at full system utilization—which in turn saves you time, money, and headaches.

In short: You won’t have to bear the full brunt of the tech burden, and the software and hardware you purchase should work. This enables you to concentrate on the people component of the system.

Reason #2: People Propel the Processes

A higher education institution can optimize an ERP system to complete countless processes: automating registration, onboarding staff, processing financial aid, improving self-service capabilities, simplifying record-keeping, etc. Yet a system can’t do all this on its own (not yet, at least). People—both functional and IT staff—propel these processes. For this to happen, your institution needs to secure buy-in and equip people with vision, training, and resources.

People are wary of ERP projects, for good reason. When an institution decides to tackle an ERP implementation the onus often falls on already busy staff, some of whom may rather find a new career than manage a new system implementation. Your staff and their institutional knowledge are your greatest assets. It is important to empower staff to define how future-state business processes should work—and for you to remember that a common reason for ERP implementation failure is lack of engagement. Sometimes, those at the executive level make decisions without adequate input from the people who actually do the work. You will need to sharpen your “people skills” in order to educate stakeholders on the value of a new ERP system, and how the software will make their day-to-day roles and responsibilities more efficient and effective. To ensure that staff have the bandwidth to engage in this change, it is advisable to provide backfill for key administrative functions.

Designing business processes of a future-state system is arguably the most challenging part of an ERP implementation. Often, stakeholders don’t understand the new functionality that a future system can offer because they have only used the prior system. It is important to engage the ERP vendor early and educate your staff to ensure that they understand the possibilities when designing future-state processes.

Once you have designed processes, training should take center stage. And once again, people play a pivotal role in this process. Modern ERP systems usually require staff to fundamentally conduct business differently; this can require training not only on the new system, but also on other foundational technologies (e.g., the office suite) not relied upon before. It is important to identify these needs and incorporate them into your institution’s training plan up front.

An effective training plan needs to balance multiple types of training, ranging from formal classroom sessions to online learning and train-the-trainer sessions. Tech-savvy staff will be able to train other staff in using the new ERP system, which will not only increase the skill sets of said staff, but will also help them better understand how their roles fit within the larger picture of the institution. This, in turn, will organically improve communication and workflow, as well as lead to more collaboration and teamwork. The result: positive institution-wide change.

Moving Forward

Think about your institution’s focus when implementing a new ERP system—and be aware of the benefits that it could have for your staff, your students, and your bottom line. You will face other ERP-related challenges, such as selecting the right third-party vendor and facilitating change management. If you’d like to discuss some strategies for tackling these challenges, this process is easy—just send me an email.

Blog
The people component: Why higher education institutions should focus on staff when implementing an ERP system

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

To find out when we post our next cybersecurity playbook article, please sign up to receive updates here.

Blog
Maturity modeling: Cybersecurity playbook for management

A year ago, CMS released the Medicaid Enterprise Certification Toolkit (MECT) 2.1: a new Medicaid Management Information Systems (MMIS) Certification approach that aligns milestone reviews with the systems development life cycle (SDLC) to provide feedback at key points throughout design, development, and implementation (DDI).

The MECT (recently updated to version 2.2) incorporates lessons learned from pilot certifications in several states, including the successful West Virginia pilot that BerryDunn supported. MECT updates have a direct impact on E&E systems—an impact that may increase in the near future. Here is what you need to know:         

Then: Initial Release

In February 2017, CMS introduced six Eligibility & Enrollment (E&E) checklists. Five were leveraged from the MECT, while the sixth checklist contained unique E&E system functionality criteria and provided a new E&E SDLC that—like the MECT—depicted three milestone reviews and increased the Independent Verification and Validation (IV&V) vendor’s involvement in the checklists completion process.

Now: Getting Started

Completing the E&E checklists will help states ensure the integrity of their E&E systems and help CMS guide future funding. This exercise is no easy task, particularly when a project is already in progress. Completion of the E&E checklists involves many stakeholders, including:

  • The state (likely more than one agency)
  • CMS
  • IV&V
  • Project Management Office (PMO)
  • System vendor(s)

As with any new processes, there are challenges with E&E checklists completion. Some early challenges include:

  • Completing the E&E checklists with limited state project resources
  • Determining applicable criteria for E&E systems, especially for checklists shared with the MMIS
  • Identifying and collecting evidence for iterative projects where criteria may not fall cleanly into one milestone review phase
  • Completing the E&E checklists with limited state project resources
  • Working with the system vendor(s) to produce evidence

What’s Next?

Additionally, working with system vendors may prove tricky for projects that already have contracts with E&E vendors, as E&E systems are not currently subject to certification (unlike the MMIS). This may lead to instances where E&E vendors are not contractually obligated to provide the evidence that would best satisfy CMS criteria. To handle this and other challenges, states should communicate risks and issues to CMS and work together to resolve or mitigate them.

As CMS partners with states to implement the E&E checklists, some questions are expected to be asked. For example, how much information can be leveraged from the MECT, and how much of the checklists completion process must be E&E-specific? Might certification be required in the near future for E&E systems?

While there will be more to learn and challenges to overcome, the first states completing the E&E checklists have an opportunity to lead the way on working with CMS to successfully build and implement E&E systems that benefit all stakeholders.

On July 31, 2017, CMS released the MECT 2.2 as an update to the MECT 2.1.1. As the recent changes continue to be analyzed, what will the impact be to current and future MMIS and E&E projects?

Check back here at BerryDunn Briefings in the coming weeks and we will help you sort it out.

Blog
Check this: CMS checklists aren't just for MMIS anymore.

We all know them. In fact, you might be one of them — people who worry the words “go live” will lead to job loss (theirs). This feeling is not entirely irrational. When an organization is ready to go live from an existing legacy system to a new enterprise system, stress levels rise and doubts emerge: What can go wrong? How much time will be lost? Are we really ready for this?

We’re here to help. Here is a list of go-live essentials to help you mitigate stress and assess your readiness. While not all-encompassing, it’s a good place to start. Here’s what you need:

  1. A detailed project plan which specifies all of the implementation tasks
    A project plan is one of the most important parts of an implementation. A detailed plan that identifies all of the implementation tasks along with an assigned resource for each task is critical to success. The implementation vendor and the organization should develop this plan together to get buy-in from both teams.
  1. A completed system configuration
    New system configuration is one of the most time-consuming aspects of a technology implementation. If you don’t complete the implementation in a timely manner, it will impact your go-live date. Configure the new system based upon the best practices of the system — not how the existing system was — for timely implementation.
  1. External system interface identification
    While replacement of some external systems may be a goal of an implementation, there may be situations where external systems are not replaced or the organization has to send and/or receive data from external organizations. And while new systems have advanced interface technology capabilities, the external systems may not share these capabilities. Therefore it is imperative that you identify external system interfaces to avoid gaps in functionality.
  1. Testing, testing, testing
    End-to-end testing or User Acceptance Testing (UAT) is often overlooked. It involves completing testing scenarios for each module to ensure appropriate system configuration. While the timing of UAT may vary, allow adequate time to identify solutions to issues that may result from UAT.
  1. Data conversion validation
    When you begin using a new system, it’s best to ensure you’re working with clean, up-to-date data. Identify data conversion tasks in the project plan and include multiple data conversion passes. You must also determine if the existing data is actually worth converting. When you complete the data conversion, check for accuracy.
  1. End user training
    You must train all end users to ensure proper utilization across the organization. Don’t underestimate the amount of time needed for end user training. It is also important to provide a feedback mechanism for end users to determine if the training was successful.
  1. A go-live cutover plan
    The overall project plan may indicate go-live as an activity. List specific activities to complete as part of go-live. You can build these tasks into the project plan or maintain them as a separate checklist to promote a smooth transition.
  1. Support structure
    Establish an internal support structure when preparing for go-live to help address issues that may arise. Most organizations take time to configure and test the system and provide training to end users prior to go-live. Questions will arise as part of this process — establish a process to track and address these questions.

Technology implementations can significantly impact your organization, and it’s common for stress levels to rise during the go-live process. But with the right assessment and preparation, you can lessen their impact and reduce staff stress. Our experienced, objective advisors work with public and private sector organizations across the country to oversee large enterprise projects from inception to successful completion. Please reach out to us to learn more about preparing for your next big project.

Blog
Don't worry, just assess: Eight tips for reducing go-live stress